kinsing | ae93608491c5720158eccab3f3bf83cd4c5b3f4e6df93b08a8a14d7d9b9621e2

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75095254b6b84c567db25f0885fdbea4.exe
Size

385KB
MD5

75095254b6b84c567db25f0885fdbea4
SHA1

d44383edba434a7cfe47787b252c92a9fcc509ce
SHA256

ae93608491c5720158eccab3f3bf83cd4c5b3f4e6df93b08a8a14d7d9b9621e2
SHA512

9b193af97be3bdac40aa58fb01ba079d09f0ad9a890d78692bf75c1cfe598bb07eec652cc18535cb9eda8b7b4eee39a62b04d8093aa211d15414ab576bf681d9
SSDEEP

12288:hQgQXE+kMZ7KXlOlU73ABD7OQ50MORnlrYgB:iPE+kMBulyU7Q2fnrB

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Deletes itself 1 IoCs

pid	Process
3272	75095254b6b84c567db25f0885fdbea4.exe

Executes dropped EXE 1 IoCs

pid	Process
3272	75095254b6b84c567db25f0885fdbea4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4416	75095254b6b84c567db25f0885fdbea4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4416	75095254b6b84c567db25f0885fdbea4.exe
3272	75095254b6b84c567db25f0885fdbea4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	85
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	85
PID 4416 wrote to memory of 3272	4416	75095254b6b84c567db25f0885fdbea4.exe	85

C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe
"C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe
  C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75095254b6b84c567db25f0885fdbea4.exe

Filesize
385KB

MD5
21a9ced7e9c2607f2c5114b2332b1438

SHA1
ffa37d6732cf5bae4d32ca628148943f5b67fa06

SHA256
976a1534f2dfb4eddc82c1f38e0a56c19e6bfaf5d2ef33fc8fa919338d8278bf

SHA512
08dddaad851c31b6f3b0efd622aabbba36570d857939a3f37ca5c31e00d0943f3e9e0499b0163b4de33f53f42661e28e3058034179bb8f0547a69bddec31119e

Download Submit
memory/3272-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3272-14-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3272-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3272-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3272-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3272-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4416-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/4416-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4416-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download