Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
25-01-2024 17:15
General
-
Target
约翰迪尔融资租赁有限公司.bmp
-
Size
1.9MB
-
MD5
0c82b65faf383bfc67c9e78c074f34ab
-
SHA1
b902acf84344894ef9f4267d1622297e3a3bcc2b
-
SHA256
1fbfd71dd3e01fbc430819c0d0e7057033a9ba996827da9c20d35234d3bb17e9
-
SHA512
6fd52f3885489145ff4d9ef6218fa18b338f573f9dcfe0386556366b162f50d98b451be103d9133f7a5555b9825adb9e51bc0062c319a46337b4eaf3ca26af45
-
SSDEEP
1536:8pobi/CKreZvXQ/v/fYJy0SE0+tVWdl3EwaDN6M21IdPMHlHE8hPzkOoY0ge/v/f:5
Score
10/10
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\约翰迪尔融资租赁有限公司.bmp1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\约翰迪尔融资租赁有限公司.bmp"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵