kinsing | 3b7da21bdcd1e4771b9508a5c1d6d404ce1ddf1292be5869ef081f72cc0bdae3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:11

Target

750f2b6aa881f5c0d2a31594114ef012.exe
Size

385KB
MD5

750f2b6aa881f5c0d2a31594114ef012
SHA1

8cb45dc9517baf0922405a87c80b8ec5cb33608a
SHA256

3b7da21bdcd1e4771b9508a5c1d6d404ce1ddf1292be5869ef081f72cc0bdae3
SHA512

35c223e8353b75827a133909920d0d8e4bd9d9abfd2df563ea90f77e18fd273f6ddd4f9fb5a537ca486b3c4df4fd059c67325d696adc9550bf60ff4458b8ea7e
SSDEEP

12288:Igef29ChD/jb8Mv1u5/B7uHb5ashTq/S75B:NH9Chz/LcJ765/hTeSVB

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

750f2b6aa881f5c0d2a31594114ef012.exe

pid process

2204 750f2b6aa881f5c0d2a31594114ef012.exe
Executes dropped EXE 1 IoCs

Processes:

750f2b6aa881f5c0d2a31594114ef012.exe

pid process

2204 750f2b6aa881f5c0d2a31594114ef012.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 pastebin.com
7 pastebin.com
Suspicious behavior: RenamesItself 1 IoCs

Processes:

750f2b6aa881f5c0d2a31594114ef012.exe

pid process

3232 750f2b6aa881f5c0d2a31594114ef012.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

750f2b6aa881f5c0d2a31594114ef012.exe750f2b6aa881f5c0d2a31594114ef012.exe

pid process

3232 750f2b6aa881f5c0d2a31594114ef012.exe
2204 750f2b6aa881f5c0d2a31594114ef012.exe

pid	process
2204	750f2b6aa881f5c0d2a31594114ef012.exe

pid	process
2204	750f2b6aa881f5c0d2a31594114ef012.exe

flow	ioc
6	pastebin.com
7	pastebin.com

pid	process
3232	750f2b6aa881f5c0d2a31594114ef012.exe

pid	process
3232	750f2b6aa881f5c0d2a31594114ef012.exe
2204	750f2b6aa881f5c0d2a31594114ef012.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

750f2b6aa881f5c0d2a31594114ef012.exe

description	pid	process	target process
PID 3232 wrote to memory of 2204	3232	750f2b6aa881f5c0d2a31594114ef012.exe	750f2b6aa881f5c0d2a31594114ef012.exe
PID 3232 wrote to memory of 2204	3232	750f2b6aa881f5c0d2a31594114ef012.exe	750f2b6aa881f5c0d2a31594114ef012.exe
PID 3232 wrote to memory of 2204	3232	750f2b6aa881f5c0d2a31594114ef012.exe	750f2b6aa881f5c0d2a31594114ef012.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\750f2b6aa881f5c0d2a31594114ef012.exe
Filesize
385KB

MD5
cc0d7e8b14d0097da97c69e5a949910b

SHA1
78721ad717ae4f0fa4de6b410345ffe35fd083d9

SHA256
64e60fc015f92b5cdb4d89841461bf06593ccd0ba93115721d87c3f30820a9aa

SHA512
010929972a689e9d4214c104e5a849f2b90d7ddb60ddbad124b9a12791c82c0e7a2cc7ccb82579e98d7c840688b24af9ee8ef8f4666f4d7d6e6d1139c8027afd

Download Submit
memory/2204-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2204-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2204-20-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/2204-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2204-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2204-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2204-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3232-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3232-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3232-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3232-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download