kinsing | 8ecba4b9ab5f639c8a3df5ad0856c6b83c96d2c937f2bd2af4fc71907852ccab

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:41

Target

751ef59be3c954bc0af792f2d426138e.exe
Size

358KB
MD5

751ef59be3c954bc0af792f2d426138e
SHA1

a6631f30664a22c9dd5dd08cad96e3149c16adb3
SHA256

8ecba4b9ab5f639c8a3df5ad0856c6b83c96d2c937f2bd2af4fc71907852ccab
SHA512

2b21d28063717038f1ff424b1009841740316e50ee2a5fd7558ae300e84eac056b4a8c8b3fbcdf52bbb28b8a67cd8a5e2024c07a8affb201cb3c811ce14b86ca
SSDEEP

6144:/uMO+BlSNSvJA6yGjspnJJkwxNmm0PYct5xjg40WSXN5JKk3Sm9p5lTRDGrP02Zk:4WLvJeGwnXkdtlqWmf4kiObTlGbrk

Score

10^/10

kinsing loader

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3972	X

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 2380	1040	751ef59be3c954bc0af792f2d426138e.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	X
3972	X

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	751ef59be3c954bc0af792f2d426138e.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3972	1040	751ef59be3c954bc0af792f2d426138e.exe	87
PID 1040 wrote to memory of 3972	1040	751ef59be3c954bc0af792f2d426138e.exe	87
PID 3972 wrote to memory of 3136	3972	X	31
PID 1040 wrote to memory of 2380	1040	751ef59be3c954bc0af792f2d426138e.exe	95
PID 1040 wrote to memory of 2380	1040	751ef59be3c954bc0af792f2d426138e.exe	95
PID 1040 wrote to memory of 2380	1040	751ef59be3c954bc0af792f2d426138e.exe	95
PID 1040 wrote to memory of 2380	1040	751ef59be3c954bc0af792f2d426138e.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3136
- C:\Users\Admin\AppData\Local\Temp\751ef59be3c954bc0af792f2d426138e.exe
  "C:\Users\Admin\AppData\Local\Temp\751ef59be3c954bc0af792f2d426138e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\d2a0ad23\X
    176.53.17.23:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2380

C:\Users\Admin\AppData\Local\d2a0ad23\X

Filesize
41KB

MD5
f2e8308cff5808d84baa7bc3896c6602

SHA1
0a4ea175113bfe3904db040ce887ef79b6e0b9e9

SHA256
46de5cc298cacddbf41b01c6c4a734427d281796c3e8b9709f46f0eeae8fec3b

SHA512
2c6e8aecdb8270ed984367c2659e524b26e254ba9879363d5cfbf671a6f2fbdc68a5ec191f3461505fca76412e3cf8b160a0e53cf379881a83dd21eecbce831c

Download Submit
memory/1040-1-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/1040-2-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1040-9-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/1040-11-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/3136-8-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download