kinsing | 5a5d6d75d3a14fbbb2663f7fca47e8b3f6dd54bdec02c04c8953f11e85d3b2fd

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7508e9c66aaf82a4be63f4cc09abde9d.exe
Size

800KB
MD5

7508e9c66aaf82a4be63f4cc09abde9d
SHA1

9086b49fb69b88800a637df40919c25badae9d10
SHA256

5a5d6d75d3a14fbbb2663f7fca47e8b3f6dd54bdec02c04c8953f11e85d3b2fd
SHA512

f6e55c05e3f70b8dd42e2c7f29e221d08e3cf5c8c297cb808ef2d5f7d7f963663d63cae63d898aff544eeb7414117ad57c139c8fcd163c531e43c430e3e88ea4
SSDEEP

12288:qEZN94jvdr4De7Hsm280HD1EMk3hSGEznP1M/llk7yNewXz+5PnmTF/zSE:qSN94jFbMmxODoRBEr1MlS7/gz+5ux/H

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7508e9c66aaf82a4be63f4cc09abde9d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7508e9c66aaf82a4be63f4cc09abde9d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7508e9c66aaf82a4be63f4cc09abde9d.exe"	7508e9c66aaf82a4be63f4cc09abde9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7508e9c66aaf82a4be63f4cc09abde9d = "C:\\Windows\\system32\\svchost.scr"	7508e9c66aaf82a4be63f4cc09abde9d.exe

Drops file in System32 directory 2 IoCs

Processes:

7508e9c66aaf82a4be63f4cc09abde9d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchost.scr	7508e9c66aaf82a4be63f4cc09abde9d.exe
File opened for modification	C:\Windows\SysWOW64\svchost.scr	7508e9c66aaf82a4be63f4cc09abde9d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7508e9c66aaf82a4be63f4cc09abde9d.exe

pid process

2152 7508e9c66aaf82a4be63f4cc09abde9d.exe

pid	process
2152	7508e9c66aaf82a4be63f4cc09abde9d.exe

C:\Users\Admin\AppData\Local\Temp\7508e9c66aaf82a4be63f4cc09abde9d.exe
"C:\Users\Admin\AppData\Local\Temp\7508e9c66aaf82a4be63f4cc09abde9d.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-1-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2152-4-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-5-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download