Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 17:24
General
-
Target
TAXDOCUMENTS_TIMCH.rar
-
Size
2.3MB
-
MD5
55ba326f0e05ac78754238757774470e
-
SHA1
69a2a16a3baa58b0be05a8604379e59689aea3df
-
SHA256
2c18c04ee54fe7b915537e2ed85e9b4ad43efeeddd6756345afffd02bae19205
-
SHA512
174144bfea0ed59ae898eb0f668c6e1035b29dddb4c640cc6131e9e173a845abfdddaa3e777b1c79ce1d47addeb8c3ca805d707ff47a81a8b5ac30ad640b5b63
-
SSDEEP
49152:vP55W8qvmr0niTbxUMnBpwxKYhmzIjXU5so4JzlwT2:5c8aE+AuGBpfYMzkU2zzlwC
Score
10/10
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TAXDOCUMENTS_TIMCH.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\TAXDOCUMENTS_TIMCH.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow