kinsing | 148de4af81e904f345fef275e9dbbf9b00dc3cfeb15b874ce4b6b97c15d69f0c

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

750631a2c1e39cdf666553eef759c08a.exe
Size

877KB
MD5

750631a2c1e39cdf666553eef759c08a
SHA1

4a29c15705beb87998f63d853766733110527be9
SHA256

148de4af81e904f345fef275e9dbbf9b00dc3cfeb15b874ce4b6b97c15d69f0c
SHA512

bc3f449ac3719721f03acf2c124a5d92ac04d6584da0bdffd531848c65a3fc6a8adf340c7c2dcc387e81e732e2e0bb5868cc56de16a0ecec684b1294f5341610
SSDEEP

24576:p6MLKmtvPyHu7C8v4zEzy9pNg4W7HM8tcN+2QHCQDA:kiKmHyOWoSEnp7s8UQq

Score

10^/10

kinsing evasion loader trojan

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Loads dropped DLL 6 IoCs

Processes:

750631a2c1e39cdf666553eef759c08a.exe

pid	process
1716	750631a2c1e39cdf666553eef759c08a.exe
1716	750631a2c1e39cdf666553eef759c08a.exe
1716	750631a2c1e39cdf666553eef759c08a.exe
1716	750631a2c1e39cdf666553eef759c08a.exe
1716	750631a2c1e39cdf666553eef759c08a.exe
1716	750631a2c1e39cdf666553eef759c08a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

750631a2c1e39cdf666553eef759c08a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	750631a2c1e39cdf666553eef759c08a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

750631a2c1e39cdf666553eef759c08a.exe750631a2c1e39cdf666553eef759c08a.exe

description	pid	process	target process
PID 1356 wrote to memory of 1388	1356	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe
PID 1356 wrote to memory of 1388	1356	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe
PID 1356 wrote to memory of 1388	1356	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe
PID 1388 wrote to memory of 1716	1388	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe
PID 1388 wrote to memory of 1716	1388	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe
PID 1388 wrote to memory of 1716	1388	750631a2c1e39cdf666553eef759c08a.exe	750631a2c1e39cdf666553eef759c08a.exe

C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe
"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe
"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe
"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LAkDIWpFXWWdSQz3RJT\extramod.dll
Filesize
73KB

MD5
88cc9c732267ae6bcbe5de78c84e01dd

SHA1
e041cbe8dd0fe4084a4bbe7a51224fc7bca23d6d

SHA256
0566d3e28debe77b682d41208c42728ecdb3fd4bb1929750d103b27873358b7e

SHA512
bc739cfb3378438ac2bc3bb9ad2e4a7b2323b85cd2defd1d20656f60eb6c3d028ba11ac4db535e2c87fd1dc5086411ecc029e7a309f8f60c6458bdaeecef6b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAkDIWpFXWWdSQz3RJT\loading_screen.dll
Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAkDIWpFXWWdSQz3RJT\lua51.dll
Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAkDIWpFXWWdSQz3RJT\shared_library.dll
Filesize
200KB

MD5
bf01f7bd7cdaf44a6ba55a376a381dc7

SHA1
52cb33b8c39f545de889bc661d45b0e0505a560c

SHA256
9f965cce8e6f2173271d3693d82602230fba918a36dfc52e9830d110074a5203

SHA512
40c6786a138add4146e89f3224dfae84bd1033b40fb91de80584dbd31587c6a6ae8e645ff6b206f086cde4251f45a123ef7d180e763cd99bbb80471f033935b7

Download Submit
memory/1716-14-0x0000000002160000-0x0000000002196000-memory.dmp

Filesize
216KB

Download
memory/1716-22-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/1716-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-19-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-7-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/1716-18-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-28-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download