kinsing | debd455391888928a84ae3fbc58d6bf40eb739c5caffe3d68c5c5e2734970186

Resubmissions

25-01-2024 22:26

25-01-2024 17:25

max time kernel
135s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231222-es
resource tags

arch:x64arch:x86image:win10v2004-20231222-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25-01-2024 17:25

Target

Meet.exe
Size

469.8MB
MD5

4f44f506dc54a3e6ecc2da93bc5966f5
SHA1

2a6671f8be6d2d5c09093f9a2715eb7a4aaba44b
SHA256

debd455391888928a84ae3fbc58d6bf40eb739c5caffe3d68c5c5e2734970186
SHA512

2821ec7493bd3cfb16bb59d06abf3907072a9ac50c3783208776c6c1e321eadc1b7640d398c113cb96ada33205981b6d43f17ce9ee3924ca2a72b28e50f42fbd
SSDEEP

6291456:3LN6SRoiJjOen+zQtaEeaszZv1xKRl35DCSpWgUPNlP/ikfuc5MYyGFNCx:3LN6SLJjOen3t+32pDZl6NxBlDY

Score

10^/10

kinsing loader

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1312	Meet.exe
1312	Meet.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1312	4952	Meet.exe	92
PID 4952 wrote to memory of 1312	4952	Meet.exe	92

C:\Users\Admin\AppData\Local\Temp\Meet.exe
"C:\Users\Admin\AppData\Local\Temp\Meet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Meet.exe
  C:\Users\Admin\AppData\Local\Temp\Meet.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:996

memory/1312-0-0x00007FF6C5770000-0x00007FF6C6770000-memory.dmp

Filesize
16.0MB

Download
memory/4952-1-0x00007FF6C5770000-0x00007FF6C6770000-memory.dmp

Filesize
16.0MB

Download