kinsing | 99fcb2fe45a70252461012cb317824941477998e9dea1e5092ebf98755539f38

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:58

Target

7507f1b235ab4726a333ce4b9e1fd9b8.exe
Size

2.9MB
MD5

7507f1b235ab4726a333ce4b9e1fd9b8
SHA1

af99af4c6557a3d4ca5f635bddbc746b98b4894f
SHA256

99fcb2fe45a70252461012cb317824941477998e9dea1e5092ebf98755539f38
SHA512

515c75c61b6d4f6ac30bb928a95510e532e0408df8d5e14088cb37a1c966d92692da5f4484008789e8a00a176e30c1b244d1aa7f593aea8ef5dc54aa08466159
SSDEEP

49152:Y2a2sMazg8BzeVmlOtVpl60VsP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:Y21azg8oVmUhl6Qsgg3gnl/IVUs1jePs

Score

10^/10

kinsing loader upx

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid process

4144 7507f1b235ab4726a333ce4b9e1fd9b8.exe
Executes dropped EXE 1 IoCs

Processes:

7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid process

4144 7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid	process
4144	7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid	process
4144	7507f1b235ab4726a333ce4b9e1fd9b8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4584-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7507f1b235ab4726a333ce4b9e1fd9b8.exe	upx
behavioral2/memory/4144-13-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

Processes:

7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid process

4584 7507f1b235ab4726a333ce4b9e1fd9b8.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

7507f1b235ab4726a333ce4b9e1fd9b8.exe7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid process

4584 7507f1b235ab4726a333ce4b9e1fd9b8.exe
4144 7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid	process
4584	7507f1b235ab4726a333ce4b9e1fd9b8.exe

pid	process
4584	7507f1b235ab4726a333ce4b9e1fd9b8.exe
4144	7507f1b235ab4726a333ce4b9e1fd9b8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7507f1b235ab4726a333ce4b9e1fd9b8.exe

description	pid	process	target process
PID 4584 wrote to memory of 4144	4584	7507f1b235ab4726a333ce4b9e1fd9b8.exe	7507f1b235ab4726a333ce4b9e1fd9b8.exe
PID 4584 wrote to memory of 4144	4584	7507f1b235ab4726a333ce4b9e1fd9b8.exe	7507f1b235ab4726a333ce4b9e1fd9b8.exe
PID 4584 wrote to memory of 4144	4584	7507f1b235ab4726a333ce4b9e1fd9b8.exe	7507f1b235ab4726a333ce4b9e1fd9b8.exe

C:\Users\Admin\AppData\Local\Temp\7507f1b235ab4726a333ce4b9e1fd9b8.exe
Filesize
2.9MB

MD5
bbe6d203adac6c4de829b6fa99983eed

SHA1
b2afe54c80eee291fd1a808462b5005139f9c4b3

SHA256
383f9e131789bdeaf2685967672a7ae43b3c9f55eb353fae872124000c565568

SHA512
8a334bd4711c0c74ab1c522421dd52b3186c14ca8c5ef47c2c954a02c5dbc33c9d6223b6dfdf20e45d8cc24f1d54d65ef1eb03103fbdf81d69242617b34615c6

Download Submit
memory/4144-13-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4144-14-0x0000000001D40000-0x0000000001E73000-memory.dmp

Filesize
1.2MB

Download
memory/4144-15-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4144-20-0x0000000005640000-0x000000000586A000-memory.dmp

Filesize
2.2MB

Download
memory/4144-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4144-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4584-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4584-1-0x0000000001DB0000-0x0000000001EE3000-memory.dmp

Filesize
1.2MB

Download
memory/4584-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4584-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download