kinsing | 4409a2d6457405682a5a0ada61573bb53117a5906a4021bc52ec89ec46a08ddb

Analysis

max time kernel
129s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7503f33c454ff72f582b1d730cd89471.exe
Size

241KB
MD5

7503f33c454ff72f582b1d730cd89471
SHA1

8d4a46c0be9ee73f8b6b32459d8998db490a8461
SHA256

4409a2d6457405682a5a0ada61573bb53117a5906a4021bc52ec89ec46a08ddb
SHA512

cf99c784346caaa71579e735ffd98ae4c7536402ff36eee0ebcb8f0b826106aa3f91871e174c6dc239adc8d1cd30a150856c840933e7715240c782653e757496
SSDEEP

6144:Sd+0o58vYv0YMb5627rvzg97XdjBZzL2V:Sd+b6UC6yXgJXN6V

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe

pid process

2060 7503f33c454ff72f582b1d730cd89471.exe
Executes dropped EXE 1 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe

pid process

2060 7503f33c454ff72f582b1d730cd89471.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 pastebin.com
17 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe

pid process

2060 7503f33c454ff72f582b1d730cd89471.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1256 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe

pid process

2060 7503f33c454ff72f582b1d730cd89471.exe
2060 7503f33c454ff72f582b1d730cd89471.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe

pid process

672 7503f33c454ff72f582b1d730cd89471.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe7503f33c454ff72f582b1d730cd89471.exe

pid process

672 7503f33c454ff72f582b1d730cd89471.exe
2060 7503f33c454ff72f582b1d730cd89471.exe

pid	process
2060	7503f33c454ff72f582b1d730cd89471.exe

pid	process
2060	7503f33c454ff72f582b1d730cd89471.exe

flow	ioc
11	pastebin.com
17	pastebin.com

pid	process
2060	7503f33c454ff72f582b1d730cd89471.exe

pid	process
1256	schtasks.exe

pid	process
2060	7503f33c454ff72f582b1d730cd89471.exe
2060	7503f33c454ff72f582b1d730cd89471.exe

pid	process
672	7503f33c454ff72f582b1d730cd89471.exe

pid	process
672	7503f33c454ff72f582b1d730cd89471.exe
2060	7503f33c454ff72f582b1d730cd89471.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7503f33c454ff72f582b1d730cd89471.exe7503f33c454ff72f582b1d730cd89471.exe

description	pid	process	target process
PID 672 wrote to memory of 2060	672	7503f33c454ff72f582b1d730cd89471.exe	7503f33c454ff72f582b1d730cd89471.exe
PID 672 wrote to memory of 2060	672	7503f33c454ff72f582b1d730cd89471.exe	7503f33c454ff72f582b1d730cd89471.exe
PID 672 wrote to memory of 2060	672	7503f33c454ff72f582b1d730cd89471.exe	7503f33c454ff72f582b1d730cd89471.exe
PID 2060 wrote to memory of 1256	2060	7503f33c454ff72f582b1d730cd89471.exe	schtasks.exe
PID 2060 wrote to memory of 1256	2060	7503f33c454ff72f582b1d730cd89471.exe	schtasks.exe
PID 2060 wrote to memory of 1256	2060	7503f33c454ff72f582b1d730cd89471.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe
"C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe
C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe" /TN Google_Trk_Updater /F
3⤵
- Creates scheduled task(s)
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe
Filesize
70KB

MD5
b495116e33e1b3de798041bd92355ba1

SHA1
3fa507c72a7ccc613a72717e33fd8cf2c2d4dad4

SHA256
f6712edc78ad2f6c7d40aa48d36deed1b728e9b9080ced360a66dd05bad95cd5

SHA512
8bb390d74a5395f6b1d24d63b622e69e3b5e5fe839e7aa4acac8db8be05833d6b2dcba553bb2caa2959967adbc1afb07e6f36f7a56f9b5b993c450a801d36d65

Download Submit
memory/672-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/672-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/672-1-0x00000000016F0000-0x00000000017A7000-memory.dmp

Filesize
732KB

Download
memory/672-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2060-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2060-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2060-14-0x0000000001630000-0x00000000016E7000-memory.dmp

Filesize
732KB

Download
memory/2060-22-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/2060-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download