kinsing | c101bc6ce098c1531987543175771b755ebe79616497c5114ef510571c5f3d32

General

Target

DHL_AWB#6078538091.exe
Size

743KB
MD5

2685c5b3d73fe94a815a84c1dd5813ef
SHA1

edf893ff59c3437e942fd8cd40c9381ef536dbf2
SHA256

27769f4bb96d0e605bdc282658c6a729e4ceb8447cd9e1f9880c69862258e66f
SHA512

a989d2198b0a9d8bddff535bd821c124b347cbdb0a2ffb91ce76b9d91a4847e38ffd2a58300e53366004628729d5ac9d9dfc10539ae6808ab6c3d26877e6fc65
SSDEEP

12288:X4nWcI58atfrHsfjGrfrtofP/l1rkxNVOIiB3bow5404ni0C0eb:X4Y5JDsfjStMn3rkxNo+w5/4+0

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Suspicious use of SetThreadContext 4 IoCs

Processes:

DHL_AWB#6078538091.exeDHL_AWB#6078538091.exedvdplay.exe

description	pid	process	target process
PID 1104 set thread context of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 4676 set thread context of 3460	4676	DHL_AWB#6078538091.exe	Explorer.EXE
PID 4676 set thread context of 1424	4676	DHL_AWB#6078538091.exe	dvdplay.exe
PID 1424 set thread context of 3460	1424	dvdplay.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

dvdplay.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	dvdplay.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

DHL_AWB#6078538091.exeDHL_AWB#6078538091.exedvdplay.exe

pid	process
1104	DHL_AWB#6078538091.exe
1104	DHL_AWB#6078538091.exe
1104	DHL_AWB#6078538091.exe
1104	DHL_AWB#6078538091.exe
1104	DHL_AWB#6078538091.exe
1104	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
4676	DHL_AWB#6078538091.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

DHL_AWB#6078538091.exeExplorer.EXEdvdplay.exe

pid process

4676 DHL_AWB#6078538091.exe
3460 Explorer.EXE
3460 Explorer.EXE
1424 dvdplay.exe
1424 dvdplay.exe
1424 dvdplay.exe
1424 dvdplay.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL_AWB#6078538091.exe

description pid process

Token: SeDebugPrivilege 1104 DHL_AWB#6078538091.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE

pid	process
4676	DHL_AWB#6078538091.exe
3460	Explorer.EXE
3460	Explorer.EXE
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe
1424	dvdplay.exe

description	pid	process
Token: SeDebugPrivilege	1104	DHL_AWB#6078538091.exe

pid	process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL_AWB#6078538091.exeExplorer.EXEdvdplay.exe

description	pid	process	target process
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 1104 wrote to memory of 4676	1104	DHL_AWB#6078538091.exe	DHL_AWB#6078538091.exe
PID 3460 wrote to memory of 1424	3460	Explorer.EXE	dvdplay.exe
PID 3460 wrote to memory of 1424	3460	Explorer.EXE	dvdplay.exe
PID 3460 wrote to memory of 1424	3460	Explorer.EXE	dvdplay.exe
PID 1424 wrote to memory of 1948	1424	dvdplay.exe	Firefox.exe
PID 1424 wrote to memory of 1948	1424	dvdplay.exe	Firefox.exe
PID 1424 wrote to memory of 1948	1424	dvdplay.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\DHL_AWB#6078538091.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB#6078538091.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\DHL_AWB#6078538091.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB#6078538091.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4676

C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\SysWOW64\dvdplay.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-15-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-1-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-2-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/1104-3-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/1104-4-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/1104-5-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/1104-6-0x0000000005BC0000-0x0000000005BD8000-memory.dmp

Filesize
96KB

Download
memory/1104-7-0x0000000005BE0000-0x0000000005BE8000-memory.dmp

Filesize
32KB

Download
memory/1104-8-0x00000000068D0000-0x00000000068DC000-memory.dmp

Filesize
48KB

Download
memory/1104-9-0x0000000006C20000-0x0000000006CA0000-memory.dmp

Filesize
512KB

Download
memory/1104-10-0x0000000009250000-0x00000000092EC000-memory.dmp

Filesize
624KB

Download
memory/1104-11-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-12-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/1104-0-0x0000000000B60000-0x0000000000C20000-memory.dmp

Filesize
768KB

Download
memory/1424-25-0x0000000000E90000-0x00000000011DA000-memory.dmp

Filesize
3.3MB

Download
memory/1424-26-0x0000000000800000-0x000000000083C000-memory.dmp

Filesize
240KB

Download
memory/1424-29-0x0000000000800000-0x000000000083C000-memory.dmp

Filesize
240KB

Download
memory/1424-22-0x0000000000800000-0x000000000083C000-memory.dmp

Filesize
240KB

Download
memory/1424-23-0x0000000000800000-0x000000000083C000-memory.dmp

Filesize
240KB

Download
memory/1424-27-0x0000000001290000-0x0000000001332000-memory.dmp

Filesize
648KB

Download
memory/3460-38-0x00000000081A0000-0x00000000082BE000-memory.dmp

Filesize
1.1MB

Download
memory/3460-31-0x00000000081A0000-0x00000000082BE000-memory.dmp

Filesize
1.1MB

Download
memory/3460-30-0x00000000081A0000-0x00000000082BE000-memory.dmp

Filesize
1.1MB

Download
memory/3460-21-0x000000000CB30000-0x000000000D94B000-memory.dmp

Filesize
14.1MB

Download
memory/3460-28-0x000000000CB30000-0x000000000D94B000-memory.dmp

Filesize
14.1MB

Download
memory/4676-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-16-0x0000000001060000-0x00000000013AA000-memory.dmp

Filesize
3.3MB

Download
memory/4676-20-0x0000000000BD0000-0x0000000000BF3000-memory.dmp

Filesize
140KB

Download
memory/4676-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads