kinsing | 08fd0d4fe3da3e4a714d129ddee649757b5bddee7d67574e7c3b441e1cc1d435

General

Target

75134b548ab81fd2486c24d7a2f943fe.exe
Size

76KB
MD5

75134b548ab81fd2486c24d7a2f943fe
SHA1

7b876b31e8fec7807e8cf3cbac75b11c9196dcd1
SHA256

08fd0d4fe3da3e4a714d129ddee649757b5bddee7d67574e7c3b441e1cc1d435
SHA512

bfc5ebf577891ca074f46a778093d9789405f75a06860dfb1de06da43d7f0584a605cdd5e02cde79d8e11c0d3f30e654353258a7e28f258c9d7cb8f69229e6f0
SSDEEP

1536:NMMM7nCi2Sw3rBsxAP8iKZ3NzWvdEuUaAlmlGUOj2Q2Mt9WI56pjVrs2ryrd1vUZ:wCi2Sw3Fsxi81qEPJml0R56Hs2qo

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Drops file in Program Files directory 13 IoCs

Processes:

75134b548ab81fd2486c24d7a2f943fe.exe

description	ioc	process
File opened for modification	C:\Program Files\StepUse.htm	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\revhnlhn.exe	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\README.html	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\chllsvtv.exe	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\hcjzqenb.exe	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	75134b548ab81fd2486c24d7a2f943fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	75134b548ab81fd2486c24d7a2f943fe.exe

Modifies registry class 24 IoCs

Processes:

75134b548ab81fd2486c24d7a2f943fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\ = "ttjlnwtlklrhxweb"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\chllsvtv.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F660BB-B748-3C77-C04E-D9A6C90CD4EE}	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F660BB-B748-3C77-C04E-D9A6C90CD4EE}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\75134b548ab81fd2486c24d7a2f943fe.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\ = "hjzxjxsktbrzlhbe"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "bthrvzctxrcherth"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "bxbntwljlnrtheeh"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F660BB-B748-3C77-C04E-D9A6C90CD4EE}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32\ = "C:\\Program Files\\Java\\jre-1.8\\hcjzqenb.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F660BB-B748-3C77-C04E-D9A6C90CD4EE}\ = "lhthbrlbllqlbkzb"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\ = "rbxtnexbntelhkws"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\jre\\revhnlhn.exe"	75134b548ab81fd2486c24d7a2f943fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32	75134b548ab81fd2486c24d7a2f943fe.exe

C:\Users\Admin\AppData\Local\Temp\75134b548ab81fd2486c24d7a2f943fe.exe
"C:\Users\Admin\AppData\Local\Temp\75134b548ab81fd2486c24d7a2f943fe.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4864-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4864-1-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-3-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-2-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-6-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-7-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-9-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-10-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-11-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-12-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-13-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-14-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-15-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-16-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-17-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-18-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-19-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-20-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-21-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-22-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-23-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-24-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-25-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-26-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-27-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-28-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-29-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-30-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-31-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-32-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-33-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-34-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-35-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-36-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-37-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-38-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-39-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-40-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-41-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-42-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-43-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-44-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-45-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-46-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-47-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-48-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-49-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-50-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-51-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-52-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-53-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-54-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-55-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-56-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-57-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-58-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-59-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-60-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-61-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-62-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-63-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-64-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-65-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4864-1394-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing