kinsing | ae93608491c5720158eccab3f3bf83cd4c5b3f4e6df93b08a8a14d7d9b9621e2

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:01

Target

75095254b6b84c567db25f0885fdbea4.exe
Size

385KB
MD5

75095254b6b84c567db25f0885fdbea4
SHA1

d44383edba434a7cfe47787b252c92a9fcc509ce
SHA256

ae93608491c5720158eccab3f3bf83cd4c5b3f4e6df93b08a8a14d7d9b9621e2
SHA512

9b193af97be3bdac40aa58fb01ba079d09f0ad9a890d78692bf75c1cfe598bb07eec652cc18535cb9eda8b7b4eee39a62b04d8093aa211d15414ab576bf681d9
SSDEEP

12288:hQgQXE+kMZ7KXlOlU73ABD7OQ50MORnlrYgB:iPE+kMBulyU7Q2fnrB

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

75095254b6b84c567db25f0885fdbea4.exe

pid process

3272 75095254b6b84c567db25f0885fdbea4.exe
Executes dropped EXE 1 IoCs

Processes:

75095254b6b84c567db25f0885fdbea4.exe

pid process

3272 75095254b6b84c567db25f0885fdbea4.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
9 pastebin.com
Suspicious behavior: RenamesItself 1 IoCs

Processes:

75095254b6b84c567db25f0885fdbea4.exe

pid process

4416 75095254b6b84c567db25f0885fdbea4.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

75095254b6b84c567db25f0885fdbea4.exe75095254b6b84c567db25f0885fdbea4.exe

pid process

4416 75095254b6b84c567db25f0885fdbea4.exe
3272 75095254b6b84c567db25f0885fdbea4.exe

pid	process
3272	75095254b6b84c567db25f0885fdbea4.exe

pid	process
3272	75095254b6b84c567db25f0885fdbea4.exe

flow	ioc
8	pastebin.com
9	pastebin.com

pid	process
4416	75095254b6b84c567db25f0885fdbea4.exe

pid	process
4416	75095254b6b84c567db25f0885fdbea4.exe
3272	75095254b6b84c567db25f0885fdbea4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

75095254b6b84c567db25f0885fdbea4.exe

description	pid	process	target process
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	75095254b6b84c567db25f0885fdbea4.exe
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	75095254b6b84c567db25f0885fdbea4.exe
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	75095254b6b84c567db25f0885fdbea4.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe
Filesize
385KB

MD5
21a9ced7e9c2607f2c5114b2332b1438

SHA1
ffa37d6732cf5bae4d32ca628148943f5b67fa06

SHA256
976a1534f2dfb4eddc82c1f38e0a56c19e6bfaf5d2ef33fc8fa919338d8278bf

SHA512
08dddaad851c31b6f3b0efd622aabbba36570d857939a3f37ca5c31e00d0943f3e9e0499b0163b4de33f53f42661e28e3058034179bb8f0547a69bddec31119e

Download Submit
memory/3272-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3272-14-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3272-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3272-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3272-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3272-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4416-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/4416-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4416-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download