kinsing | c9a76d6c0da18f481125ed63a75b24f123690952c2f759e74be902d833aad28c

Analysis

max time kernel
300s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-1.html
Size

775B
MD5

73629986ff4d4bfb104858e57dc4e864
SHA1

6765a6e588bf3d6535dedf427c882c8e2c0726c1
SHA256

ac1e79d9352bb00b222a2130233a431717fc130f256f5f295825c73a3eb3956c
SHA512

a16d915f96fadf10faf6773946b27c521c46af4b656ede3d03da9b60272aa04c3f57785bc76c8159c9387a97ad019ceade3faf43f39e24d7ea71d93779da39d4

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506770723084762"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
1732	chrome.exe
1732	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
1732	chrome.exe
1732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1732 wrote to memory of 1212	1732	chrome.exe	85
PID 1732 wrote to memory of 1212	1732	chrome.exe	85
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 2540	1732	chrome.exe	87
PID 1732 wrote to memory of 4752	1732	chrome.exe	88
PID 1732 wrote to memory of 4752	1732	chrome.exe	88
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89
PID 1732 wrote to memory of 2076	1732	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-1.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff966139758,0x7ff966139768,0x7ff966139778
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:2
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 --field-trial-handle=1908,i,16045796554596487447,16660394479016191406,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
b10a9769e7faf446a35ce3021f1c9588

SHA1
10eeb9cc23c1bf8d525d95d1272373737600a3fd

SHA256
d8e573c3fe226170b8bf58407e3521dac09c69d3b848c5cfd8c770614c99b865

SHA512
732280ab040eaa000ba30b520257105460bc64657582a4a2d15b6cab52dcc9f29675583fe15fd4b7ba3a95c57af3a806e551c592b5f421bbd9c940ba47c67fb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a0881679ea1e72fc9bb95feb0026b74d

SHA1
00eb028cc9ac36404258019734a058c02536e3d7

SHA256
a4838ddfe8370a3efa45ac547337c074ee62a58da5f889c565886b32922cffde

SHA512
e1c23bf02a4da4c71813773639c26e8b2599cb774bbe0a9018ea813148fd9cddb761f3911cab98d851f1a01094da7d6f01dca12f670a4e32a7e3dc1034d8be6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2149e27f34e36ddc070ba6a1b43e7c88

SHA1
8b526895d0ddd2b471869680bc0c5cd4e954e1a9

SHA256
d748f2a7924efd6b87b79f2b707b10413459fb2127b0833da0ec5bbb23544131

SHA512
decec1b7b6f638f7d1497bd26a335ec397104be651a95aa6424f0da4042dc102b5a29b7f5d343d3e6dcd92cf8da695f43942bf132b039600d4a51c601f3194a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
864117ae0307e9983135a4dc30253417

SHA1
e00d052478477f08d87c640f84c6eb35c215e5a8

SHA256
b9d30c48487c2089bd34ebea0f1308ffe5016d9f4a24d463af68449d06552712

SHA512
c93d575f0367fb09cac70e3121c2d723abb6656c97ab3c1cdd890eca9857540da1c77524e5da4e4c92749fd6a31c7a439f5f565e08b86393db6933ee13cd8ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1732_GPPQFGDSQBRZIBSO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit