kinsing | 27c2601bd94650517f06ca1863f9e2bf1c7859a7bf61859836a26867196552f6

General

Target

750a8e877ded6c0d530b69fc0bd29849.exe
Size

257KB
MD5

750a8e877ded6c0d530b69fc0bd29849
SHA1

792daf6eb23c028db67b4fd53bf89242c6228e14
SHA256

27c2601bd94650517f06ca1863f9e2bf1c7859a7bf61859836a26867196552f6
SHA512

1476a2c3684513bd89f22ec4ea69196f3ad13e3a85aa69ee8df173801d877f0f755c18dd72cfe37bbba7e77aedc5ee065dcb7a72218ad156a1517993f08b053f
SSDEEP

6144:snhPrfhPgYxuaMVmaho0+tq/pTNfXwysBVe+xMXQyWIf8kPZ33yMuZixwU8:38ptqrXwy2/MXQ/EnZnBuZfL

Score

10^/10

kinsing discovery loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

750a8e877ded6c0d530b69fc0bd29849.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\750A8E~1.EXE,"	750a8e877ded6c0d530b69fc0bd29849.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

750a8e877ded6c0d530b69fc0bd29849.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\750A8E~1.EXE"	750a8e877ded6c0d530b69fc0bd29849.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

750a8e877ded6c0d530b69fc0bd29849.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e7173c2f = "Hœ_y5\u0090I<âg:ÊB/â\"S1\x1fõGüÏËÐ-Ê\u0081`\x1d–Q×\x1an‰65¤Nÿ€\x018´\x11\nutQaOW\x1e(ïm\x02^7/÷ú—I¥Ù°46ßÆ™Ý9n[»®mäM#´L$ÿÌ;Ù®þ§dÆ~..ñ6Ÿ¯qÞE,¡“¾ý=OáÍÕö‰ìa4½þl´Kv\a\x03¿Ô\x14ÝU\t3_-\x13ÓÄ\x7f÷œAì®cW}¡ù–…™…$¦¶¦Æ\x16AîÔ\rm¦®ƒ=e\r\u009d¯¤µVn·ó\x1e\x0e¼4{¡CsL±©<\x16ÌóD\v~G\u008deÕ‡\u009d‘µäLn\x16…\x13\x14–\x1e¤=FÄ{ô7\rìU”Ü<›Ö+Ÿ‡ÎÉ\x7f\x0e\x04õœ\x1fAþ¤)¤ô7W¬¼sï\a\x06\u00ad^§Õ\x01"	750a8e877ded6c0d530b69fc0bd29849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\750A8E~1.EXE"	750a8e877ded6c0d530b69fc0bd29849.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

750a8e877ded6c0d530b69fc0bd29849.exe

pid	process
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe
1432	750a8e877ded6c0d530b69fc0bd29849.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

750a8e877ded6c0d530b69fc0bd29849.exe

description	pid	process
Token: SeSecurityPrivilege	1432	750a8e877ded6c0d530b69fc0bd29849.exe
Token: SeSecurityPrivilege	1432	750a8e877ded6c0d530b69fc0bd29849.exe
Token: SeSecurityPrivilege	1432	750a8e877ded6c0d530b69fc0bd29849.exe
Token: SeSecurityPrivilege	1432	750a8e877ded6c0d530b69fc0bd29849.exe

C:\Users\Admin\AppData\Local\Temp\750a8e877ded6c0d530b69fc0bd29849.exe
"C:\Users\Admin\AppData\Local\Temp\750a8e877ded6c0d530b69fc0bd29849.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-0-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/1432-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1432-3-0x0000000002280000-0x0000000002332000-memory.dmp

Filesize
712KB

Download
memory/1432-4-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-6-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-7-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-9-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-10-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-57-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-58-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-59-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-60-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-61-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-62-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-63-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-65-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-68-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-70-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-73-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-75-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-77-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-79-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-81-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-83-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-85-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-89-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-84-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-91-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-93-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-92-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-94-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-100-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-97-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-103-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-105-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-107-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-110-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-109-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-113-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download
memory/1432-3707-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/1432-4395-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1432-5649-0x0000000002860000-0x0000000002918000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads