kinsing | ccd7712a0436b5042105fc807db0bcff36c90669eeffb34e7ecbcf75d2c09040

General

Target

2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Size

3.9MB
MD5

b3836a6b047f80f0a4062422425edf7b
SHA1

7d89d175451ef2cfcc1be7b704a149ae1ffb5c88
SHA256

ccd7712a0436b5042105fc807db0bcff36c90669eeffb34e7ecbcf75d2c09040
SHA512

30b808edb9f5abdc11dd332b655d760c46e763f5aefa75ef93337ea2984729466f9f4b326fea14776058a06008d46bb593ba00e3e2dc9ee8f50bdb91a47452f7
SSDEEP

98304:LVE++ZbKylF2ykxlvUDyA/cPyl3jJpj0FLOAkGkzdnEVomFHKnP:JrMsEDyUjJpj0FLOyomFHKnP

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Modifies registry class 50 IoCs

Processes:

2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib\ = "{D7BFBA80-11EB-43FA-813A-36EE82107916}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib\ = "{D7BFBA80-11EB-43FA-813A-36EE82107916}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\InprocHandler32\ = "ole32.dll"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\ = "myPrj"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib\Version = "1.0"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib\Version = "1.0"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ProxyStubClsid32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ = "IMFCListCtrlEx"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\LocalServer32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib\Version = "1.0"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myPrj.Application\CLSID\ = "{3C07C004-8533-4266-807D-6FDC86276ACC}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\0	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\ProgID	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ProxyStubClsid32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\InprocHandler32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\myPrj.Application\ = "myPrj.Application"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ = "ImyPrj"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ProxyStubClsid32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib\ = "{D7BFBA80-11EB-43FA-813A-36EE82107916}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe\""	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\TypeLib	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\FLAGS	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\HELPDIR	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\myPrj.Application	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib\ = "{D7BFBA80-11EB-43FA-813A-36EE82107916}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ProxyStubClsid32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\0\win32	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\HELPDIR\	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\TypeLib\Version = "1.0"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7BFBA80-11EB-43FA-813A-36EE82107916}\1.0\FLAGS\ = "0"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\ = "myPrj.Application"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\myPrj.Application\CLSID	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36010E09-1E8E-4D53-97A6-F4B53D25320D}\ = "IMFCListCtrlEx"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C07C004-8533-4266-807D-6FDC86276ACC}\ProgID\ = "myPrj.Application"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2EF09C6-C553-4E37-94C7-0A11635E280A}\ = "ImyPrj"	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe

pid process

2704 2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
2704 2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe

pid	process
2704	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
2704	2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b3836a6b047f80f0a4062422425edf7b_icedid.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-0-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads