kinsing | 3fdfc26ea2724947c69935c4adb348a2a86bd0d99dd2b00b9f421d00ed09af7d

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 17:03

Target

$PLUGINSDIR/QvodInstaller.dll
Size

253KB
MD5

7b619c99f2a6b1d661d9d860f2e3a3e8
SHA1

3d23eb82f64f9efd73ecd3885e6bf2db432ef326
SHA256

bb0d558fde429a9710109366b04e2bf7ea74d90d80f37323d857358e6c79c866
SHA512

79a221867e49f5bc1d0d7d10d7357d74e76b852bf609f72ee820722ac409d8c86f69526cdfb4e578d394818762f59fc4ca070ef5cef018b2ec65f9070f2cee97
SSDEEP

3072:/mM9bZmPixPEIT1S9+nsNGR5Ks4G3DUaIqq/to/WOTBf2xTHUNjsOP5KxtEWgGvK:/3APidsmKtG3IxOTB6T0NO/S

Score

10^/10

kinsing loader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1356	1560	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1560	988	rundll32.exe	85
PID 988 wrote to memory of 1560	988	rundll32.exe	85
PID 988 wrote to memory of 1560	988	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\QvodInstaller.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\QvodInstaller.dll,#1
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 672
    3⤵
    - Program crash
    PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1560 -ip 1560
1⤵
PID:4924