kinsing | f81ab3359080addc2a6f5e891b276af6c703b223d57f5a111bc46702a0955952

General

Target

75142584cb192706ad5d3b11b9eaf91d.exe
Size

96KB
MD5

75142584cb192706ad5d3b11b9eaf91d
SHA1

a169e096d9b857e83cedb1cfd44f62851902be6f
SHA256

f81ab3359080addc2a6f5e891b276af6c703b223d57f5a111bc46702a0955952
SHA512

923e894d0873c5796cf79b66144e781a4800aa3ae7029f8f20e0edf0a17652473bc25c173b21211c158913ae51c167b805f5529765c7b9f6057fb0abcf5e78c3
SSDEEP

1536:Gtn6qM+9ETOMMjwRTfh+VkMnTvXb8VHhAuQWJyieWo4DDAibGvzNK8Y2eWF:A6qnEFBf4kMT/eBUE7eWo4DkJzDY2eWF

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 3 IoCs

Processes:

91C3B.exe91C3B.exeBED0D.exe

pid process

2500 91C3B.exe
5052 91C3B.exe
2092 BED0D.exe
Loads dropped DLL 2 IoCs

Processes:

BED0D.exe

pid process

2092 BED0D.exe
2092 BED0D.exe

pid	process
2500	91C3B.exe
5052	91C3B.exe
2092	BED0D.exe

pid	process
2092	BED0D.exe
2092	BED0D.exe

Drops file in System32 directory 8 IoCs

Processes:

BED0D.exe75142584cb192706ad5d3b11b9eaf91d.exe91C3B.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	BED0D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	BED0D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	BED0D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	BED0D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\2E9QCR5F.htm	BED0D.exe
File opened for modification	C:\Windows\SysWOW64\91C3B.exe	75142584cb192706ad5d3b11b9eaf91d.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	91C3B.exe
File opened for modification	C:\Windows\SysWOW64\BED0D.exe	91C3B.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

BED0D.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	BED0D.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	BED0D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	BED0D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	BED0D.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	BED0D.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	BED0D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	BED0D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	BED0D.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	BED0D.exe

Modifies registry class 64 IoCs

Processes:

BED0D.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	BED0D.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	BED0D.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	BED0D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	BED0D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	BED0D.exe

Runs net.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

75142584cb192706ad5d3b11b9eaf91d.exe91C3B.exe91C3B.exeBED0D.exe

pid process

708 75142584cb192706ad5d3b11b9eaf91d.exe
2500 91C3B.exe
5052 91C3B.exe
2092 BED0D.exe

pid	process
708	75142584cb192706ad5d3b11b9eaf91d.exe
2500	91C3B.exe
5052	91C3B.exe
2092	BED0D.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

75142584cb192706ad5d3b11b9eaf91d.exe91C3B.execmd.execmd.exenet.exenet.exe91C3B.execmd.exenet.exe

description	pid	process	target process
PID 708 wrote to memory of 2500	708	75142584cb192706ad5d3b11b9eaf91d.exe	91C3B.exe
PID 708 wrote to memory of 2500	708	75142584cb192706ad5d3b11b9eaf91d.exe	91C3B.exe
PID 708 wrote to memory of 2500	708	75142584cb192706ad5d3b11b9eaf91d.exe	91C3B.exe
PID 2500 wrote to memory of 3160	2500	91C3B.exe	cmd.exe
PID 2500 wrote to memory of 3160	2500	91C3B.exe	cmd.exe
PID 2500 wrote to memory of 3160	2500	91C3B.exe	cmd.exe
PID 708 wrote to memory of 3804	708	75142584cb192706ad5d3b11b9eaf91d.exe	cmd.exe
PID 708 wrote to memory of 3804	708	75142584cb192706ad5d3b11b9eaf91d.exe	cmd.exe
PID 708 wrote to memory of 3804	708	75142584cb192706ad5d3b11b9eaf91d.exe	cmd.exe
PID 3160 wrote to memory of 2432	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2432	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2432	3160	cmd.exe	net.exe
PID 3804 wrote to memory of 1036	3804	cmd.exe	net.exe
PID 3804 wrote to memory of 1036	3804	cmd.exe	net.exe
PID 3804 wrote to memory of 1036	3804	cmd.exe	net.exe
PID 1036 wrote to memory of 4020	1036	net.exe	net1.exe
PID 1036 wrote to memory of 4020	1036	net.exe	net1.exe
PID 1036 wrote to memory of 4020	1036	net.exe	net1.exe
PID 2432 wrote to memory of 4552	2432	net.exe	net1.exe
PID 2432 wrote to memory of 4552	2432	net.exe	net1.exe
PID 2432 wrote to memory of 4552	2432	net.exe	net1.exe
PID 5052 wrote to memory of 2284	5052	91C3B.exe	cmd.exe
PID 5052 wrote to memory of 2284	5052	91C3B.exe	cmd.exe
PID 5052 wrote to memory of 2284	5052	91C3B.exe	cmd.exe
PID 2284 wrote to memory of 4132	2284	cmd.exe	net.exe
PID 2284 wrote to memory of 4132	2284	cmd.exe	net.exe
PID 2284 wrote to memory of 4132	2284	cmd.exe	net.exe
PID 4132 wrote to memory of 1748	4132	net.exe	net1.exe
PID 4132 wrote to memory of 1748	4132	net.exe	net1.exe
PID 4132 wrote to memory of 1748	4132	net.exe	net1.exe
PID 5052 wrote to memory of 2092	5052	91C3B.exe	BED0D.exe
PID 5052 wrote to memory of 2092	5052	91C3B.exe	BED0D.exe
PID 5052 wrote to memory of 2092	5052	91C3B.exe	BED0D.exe

C:\Users\Admin\AppData\Local\Temp\75142584cb192706ad5d3b11b9eaf91d.exe
"C:\Users\Admin\AppData\Local\Temp\75142584cb192706ad5d3b11b9eaf91d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\91C3B.exe
C:\Windows\system32\91C3B.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c "net start 91C3B"
3⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\net.exe
net start 91C3B
4⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 91C3B
5⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c "net start 91C3B"
2⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\net.exe
net start 91C3B
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 91C3B
4⤵
PID:4020

C:\Windows\SysWOW64\91C3B.exe
C:\Windows\SysWOW64\91C3B.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /c "net start 91C3B"
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\net.exe
net start 91C3B
3⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 91C3B
4⤵
PID:1748

C:\Windows\SysWOW64\BED0D.exe
C:\Windows\system32\BED0D.exe eee
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\91C3B.exe
Filesize
96KB

MD5
75142584cb192706ad5d3b11b9eaf91d

SHA1
a169e096d9b857e83cedb1cfd44f62851902be6f

SHA256
f81ab3359080addc2a6f5e891b276af6c703b223d57f5a111bc46702a0955952

SHA512
923e894d0873c5796cf79b66144e781a4800aa3ae7029f8f20e0edf0a17652473bc25c173b21211c158913ae51c167b805f5529765c7b9f6057fb0abcf5e78c3

Download Submit
C:\Windows\SysWOW64\BED0D.exe
Filesize
104KB

MD5
840b1eb2c3e003f542d8f0b5a0a09f5c

SHA1
c3d3b721d5a941c16307265e6ef1b339474ef201

SHA256
7910ee7760acc55a9a440e819f5d72153169e8b84dfdb508575feaea4e1ad18c

SHA512
4d26490d9b48a179828001e749d932c82c4cc4941b1f5c5bd864a5427d802dbc799652f65117235f9346bee233c1db3718a0ad10c5614c88613b88a878291509

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/708-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/708-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/708-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2500-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2500-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2500-13-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5052-15-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/5052-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads