Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 17:18
General
-
Target
7512aeaabc9121acae31ab38edb2ba61.exe
-
Size
11KB
-
MD5
7512aeaabc9121acae31ab38edb2ba61
-
SHA1
f4a053c6de78f4aea3ecc3ec7e75e5946ffe932f
-
SHA256
e2aada4f8c14f09c18977e9bba42233d7cc7575502b379a4f95701658907c962
-
SHA512
770e0f4d6f4d4a60aa3b53d040e89c195da89c50c48d097bc6f46931d3a596214d21d7cd5e8038ceb245015f6208c5917c8a70053341102cb9a3fcdaa4ab0675
-
SSDEEP
192:nwh85gw7e+gUpY/fFaNJhLkwcud2DH9VwGfctAphgpNfFUJ/j:whA5e+gUp2aNJawcudoD7Uk6z9U1j
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe"C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\batfile.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exeFilesize
8KB
MD57cca02cab1740a2cde4f19401d90b761
SHA1211aedb45f6285b80b99ac2ab0997ab44c68beed
SHA256a3c2d58306e634011046cc19f0b26fefd3bb378c4c66d1f8d2df2937eeeeee33
SHA5126ba424faa5ca129382c0d179dbbb6d45ce28010d8936911b506a16afe1af433c289a5df361a83a50f1e0b470fbae037809416a45f097317a04227cfd49de5ff4
-
C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\batfile.batFilesize
31B
MD5c06882e5d200a2a75e39caff89d6ad4b
SHA19fed645a3c3bef5b534411a6bd5ba7ebd1183069
SHA2568eae027d2b667cbcffb280231a9ad4fa62c66f7a2497a09a2d1353834e736987
SHA51261881e005e802a8ad57a784087ba078773bd99e3475d3f058706747c020de67a692440227166f7a04d5e1660a49dfecd854d5ed58d89c1805897438536306e98
-
C:\Users\Admin\AppData\Local\Temp\selfdel0.batFilesize
158B
MD5a29b94640f1941d12628b229e5bfe71e
SHA13c7eec79d1a288084b998f125e064c72ff2a22e2
SHA2566c6ba119d96c9952eaac28268c0cb722cbdb9241c7dc2f060a3605c2b2f69553
SHA51295c5ad288b893f4a3f3dc53428e0bda9af5ea5efc266c581310d16bac557ad1e2ca0aef0bb13d83834c2e1e4764e2318d9e98c2694d6f101b0b8d2ec32fc9111
-
memory/2504-10-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2504-18-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4060-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4060-11-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB