kinsing | 7b248e7cb7eda9cb1639260a4d8a83e32c9f398c80d64d71922ccaf730a3dddd

General

Target

MAXQDA24_Setup (1).msi
Size

375.0MB
MD5

11d8956afe36cefadfdeace4cc17326a
SHA1

5b0505b3d371710867bad82e12f6add9169303a6
SHA256

7b248e7cb7eda9cb1639260a4d8a83e32c9f398c80d64d71922ccaf730a3dddd
SHA512

f72293a22f831154f1591f779a2de6432af45d9368c70fb92b7758c4431e0e3d7e30a039f87d1fe1ce05710993b40aa07facc57cf8a9f7d516b05182de743f39
SSDEEP

6291456:OSC5MXpntxbeRwAQiRME+iEYl/P3co+HC2dfezUKirtsYSrJeZfvf+k3O/u89kvU:pC5M5nLb9AOrUVco+zdHKcts/rcfvfbg

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

4720 MsiExec.exe
3656 MsiExec.exe
3656 MsiExec.exe
3656 MsiExec.exe
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

5 5100 msiexec.exe
8 5100 msiexec.exe
10 5100 msiexec.exe

pid	process
4720	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe

flow	pid	process
5	5100	msiexec.exe
8	5100	msiexec.exe
10	5100	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MsiExec.exe

pid process

3656 MsiExec.exe
3656 MsiExec.exe

pid	process
3656	MsiExec.exe
3656	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5100	msiexec.exe
Token: SeSecurityPrivilege	1080	msiexec.exe
Token: SeCreateTokenPrivilege	5100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5100	msiexec.exe
Token: SeLockMemoryPrivilege	5100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5100	msiexec.exe
Token: SeMachineAccountPrivilege	5100	msiexec.exe
Token: SeTcbPrivilege	5100	msiexec.exe
Token: SeSecurityPrivilege	5100	msiexec.exe
Token: SeTakeOwnershipPrivilege	5100	msiexec.exe
Token: SeLoadDriverPrivilege	5100	msiexec.exe
Token: SeSystemProfilePrivilege	5100	msiexec.exe
Token: SeSystemtimePrivilege	5100	msiexec.exe
Token: SeProfSingleProcessPrivilege	5100	msiexec.exe
Token: SeIncBasePriorityPrivilege	5100	msiexec.exe
Token: SeCreatePagefilePrivilege	5100	msiexec.exe
Token: SeCreatePermanentPrivilege	5100	msiexec.exe
Token: SeBackupPrivilege	5100	msiexec.exe
Token: SeRestorePrivilege	5100	msiexec.exe
Token: SeShutdownPrivilege	5100	msiexec.exe
Token: SeDebugPrivilege	5100	msiexec.exe
Token: SeAuditPrivilege	5100	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5100	msiexec.exe
Token: SeChangeNotifyPrivilege	5100	msiexec.exe
Token: SeRemoteShutdownPrivilege	5100	msiexec.exe
Token: SeUndockPrivilege	5100	msiexec.exe
Token: SeSyncAgentPrivilege	5100	msiexec.exe
Token: SeEnableDelegationPrivilege	5100	msiexec.exe
Token: SeManageVolumePrivilege	5100	msiexec.exe
Token: SeImpersonatePrivilege	5100	msiexec.exe
Token: SeCreateGlobalPrivilege	5100	msiexec.exe
Token: SeCreateTokenPrivilege	5100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5100	msiexec.exe
Token: SeLockMemoryPrivilege	5100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5100	msiexec.exe
Token: SeMachineAccountPrivilege	5100	msiexec.exe
Token: SeTcbPrivilege	5100	msiexec.exe
Token: SeSecurityPrivilege	5100	msiexec.exe
Token: SeTakeOwnershipPrivilege	5100	msiexec.exe
Token: SeLoadDriverPrivilege	5100	msiexec.exe
Token: SeSystemProfilePrivilege	5100	msiexec.exe
Token: SeSystemtimePrivilege	5100	msiexec.exe
Token: SeProfSingleProcessPrivilege	5100	msiexec.exe
Token: SeIncBasePriorityPrivilege	5100	msiexec.exe
Token: SeCreatePagefilePrivilege	5100	msiexec.exe
Token: SeCreatePermanentPrivilege	5100	msiexec.exe
Token: SeBackupPrivilege	5100	msiexec.exe
Token: SeRestorePrivilege	5100	msiexec.exe
Token: SeShutdownPrivilege	5100	msiexec.exe
Token: SeDebugPrivilege	5100	msiexec.exe
Token: SeAuditPrivilege	5100	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5100	msiexec.exe
Token: SeChangeNotifyPrivilege	5100	msiexec.exe
Token: SeRemoteShutdownPrivilege	5100	msiexec.exe
Token: SeUndockPrivilege	5100	msiexec.exe
Token: SeSyncAgentPrivilege	5100	msiexec.exe
Token: SeEnableDelegationPrivilege	5100	msiexec.exe
Token: SeManageVolumePrivilege	5100	msiexec.exe
Token: SeImpersonatePrivilege	5100	msiexec.exe
Token: SeCreateGlobalPrivilege	5100	msiexec.exe
Token: SeCreateTokenPrivilege	5100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5100	msiexec.exe
Token: SeLockMemoryPrivilege	5100	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

5100 msiexec.exe

pid	process
5100	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1080 wrote to memory of 4720	1080	msiexec.exe	MsiExec.exe
PID 1080 wrote to memory of 4720	1080	msiexec.exe	MsiExec.exe
PID 1080 wrote to memory of 4720	1080	msiexec.exe	MsiExec.exe
PID 1080 wrote to memory of 3656	1080	msiexec.exe	MsiExec.exe
PID 1080 wrote to memory of 3656	1080	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\MAXQDA24_Setup (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F594AEB3FA80322BBDFD9824752E8358 C
2⤵
- Loads dropped DLL
PID:4720

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 394A6353CB74714B79224B86B1FE717F C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC1F8.tmp
Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp
Filesize
587KB

MD5
ce7ac188487e8f34523fbf41918af595

SHA1
33bc6b7e9593b651d7d840f78882ae214006f221

SHA256
acb08ddabc50e28f0bdf9624bd69c5fdfe2586e60748758b51b217adcb3587b9

SHA512
4aa2b9e0ffc75418b1783ba21cd89dc15296dc468b437265640386f4925121b34755ff79b0e36e96b3ec000d9eaa2aa0a8cf8f1a2b211da80facb240f7d9e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC585.tmp
Filesize
501KB

MD5
b08325894a5ae21a826a8769d3297c79

SHA1
39c89db97e374f131ca1f2bb7515a138f89b350e

SHA256
68c618afd0e8b238021b390832dde53c02012d5b4991f7b89bde4c5cafcc267c

SHA512
e71967674f01604ff540760352b79d313746a69b96ff75ea71e11e17a39eb0f4a653c11328f7f93d1a65dec798a08ae013d5700aea5eb567928c90c2cce929f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC585.tmp
Filesize
574KB

MD5
f0e762666e76825a4a1ce473e5c9f8a0

SHA1
0de9b377ef529e7fff42ea5e94887753de8b5a50

SHA256
b83a357831ac3bde231263a1bdf265808e886a063a1dea61447e3d9163f04794

SHA512
41ce43da073bad7c81b8427b4048d89ee51bdcdb4c2f8f6581022f55c188965e7ae1dd7d174e95e66788ebcf291917aaa8db1a17d189cba54620d7ed03121848

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads