Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 17:19
General
-
Target
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe
-
Size
3.5MB
-
MD5
a9e5109e14562508b2b2a03a60dc7202
-
SHA1
bbe5b84d9d3ad7ca2fb34602182297f3ae669611
-
SHA256
c62d65e49cda2653b185ba181c1ad775955e10f6550acde60562e90d35861045
-
SHA512
1e93b71a563e3f853f0a8d7ca83d32b147a058bb9dba4867cec31cce68a1d19357442b3684c10014be025570fef7e5b432d9ad007b915b0df9428390b2b718e4
-
SSDEEP
49152:XkLUJbzk8o21UsNT7I35W4AShA+SdhtkCu/BaC8UWF:X7XkkNpIJAkA+otSZax
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeFilesize
896KB
MD5ade6c287437bd9e0a19ac57b69152eed
SHA1d400b88ad5ce5962e045ae052c520383195e0ddf
SHA256735abba65af7f5ec8ee311ec0c11d1f18fb5b78796d518e07d73966a038d111e
SHA512b4187545f5d053b57d1209c020fe05109a85fc0465b8da0b1946af6ca619fd3dfc2ee7d10a6f8c36c21f08dc9db980f84c7400afa4b96f2a90b8bb6d71a52984
-
C:\Windows\svchost.exeFilesize
2.0MB
MD5f2e186c3ebc708a2a4f88ef637ee0e75
SHA148fea8b368916053d348f10f54a8ef37f4f9d341
SHA25675bcd94b72aaf597ab1c1a6267c615a7b97b32f0fb50bd2d5e9f01564115acc4
SHA512e30ef40f696155e1e720659e3b26844e34af7441f7b5f269c717f9eb7aa24dc3bb846bc0f0252b75ff093ec8f3979015a5ee5793a75dd3365f69b355df74a4ed
-
C:\Windows\svchost.exeFilesize
733KB
MD57de00bc378444e9621b4e21894d5a2f8
SHA10ebd3adc3e12dcaaf6e06d59a4c8b2bb5736f559
SHA256f7a57ea4472598bd9fb2e03e9388130246d45fb5f1a4c261f86aa50b10d27208
SHA5127599b4716daa17c4d0d01f52445f70df8d97bfafea3586f9b302eb0ab0121f31afe5ffa42093f03a05d78c9bf5efc88bbe307dd9717ccc7df53eec36cd0cefdc
-
memory/4788-1-0x0000000001160000-0x0000000001170000-memory.dmpFilesize
64KB
-
memory/4788-0-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4788-2-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4788-12-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-13-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-14-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-24-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB