kinsing | b621c6e7d7e0469da0a7ea62ce79016fae190d61966fdd562a25c6a2ed3988d7

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:25

Target

7516655f9a83a003f195f8c50b0c9aa1.exe
Size

10.6MB
MD5

7516655f9a83a003f195f8c50b0c9aa1
SHA1

725407271eca425b5f66ceab858b0ef70e558032
SHA256

b621c6e7d7e0469da0a7ea62ce79016fae190d61966fdd562a25c6a2ed3988d7
SHA512

7e767c5c1e6ce03cc194fffdd9a17f41194e4bee8cf548191b5088027945a8e22952084465956f9db6e385db6824f51dfcf1a1639ea08e55c53efcae46ba93e7
SSDEEP

196608:xjA7PaEWByml5KIbEY5H9lkbt+WYl5KIbEY5H9lA:mPaE2y8QYFbabOQYFbA

Score

10^/10

kinsing loader upx

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

7516655f9a83a003f195f8c50b0c9aa1.exe

pid process

4848 7516655f9a83a003f195f8c50b0c9aa1.exe
Executes dropped EXE 1 IoCs

Processes:

7516655f9a83a003f195f8c50b0c9aa1.exe

pid process

4848 7516655f9a83a003f195f8c50b0c9aa1.exe

pid	process
4848	7516655f9a83a003f195f8c50b0c9aa1.exe

pid	process
4848	7516655f9a83a003f195f8c50b0c9aa1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/5012-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7516655f9a83a003f195f8c50b0c9aa1.exe	upx

Suspicious behavior: RenamesItself 1 IoCs

Processes:

7516655f9a83a003f195f8c50b0c9aa1.exe

pid process

5012 7516655f9a83a003f195f8c50b0c9aa1.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

7516655f9a83a003f195f8c50b0c9aa1.exe7516655f9a83a003f195f8c50b0c9aa1.exe

pid process

5012 7516655f9a83a003f195f8c50b0c9aa1.exe
4848 7516655f9a83a003f195f8c50b0c9aa1.exe

pid	process
5012	7516655f9a83a003f195f8c50b0c9aa1.exe

pid	process
5012	7516655f9a83a003f195f8c50b0c9aa1.exe
4848	7516655f9a83a003f195f8c50b0c9aa1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7516655f9a83a003f195f8c50b0c9aa1.exe

description	pid	process	target process
PID 5012 wrote to memory of 4848	5012	7516655f9a83a003f195f8c50b0c9aa1.exe	7516655f9a83a003f195f8c50b0c9aa1.exe
PID 5012 wrote to memory of 4848	5012	7516655f9a83a003f195f8c50b0c9aa1.exe	7516655f9a83a003f195f8c50b0c9aa1.exe
PID 5012 wrote to memory of 4848	5012	7516655f9a83a003f195f8c50b0c9aa1.exe	7516655f9a83a003f195f8c50b0c9aa1.exe

C:\Users\Admin\AppData\Local\Temp\7516655f9a83a003f195f8c50b0c9aa1.exe
Filesize
369KB

MD5
1f420688ea21e503d534853f327be665

SHA1
1e39d7486059baa0e6ebd1fbd9dd4a8487655d45

SHA256
839e03ef87f538fd370fd42d5d11fa52eb2f5593b3330e146fa50f13f37ed857

SHA512
c12befe92d11fe26f2fb3e837ca90bbb01ef7004462fef76196f6020994ba68079c17b20424fca070f7e9d5f938d57dfb8e3c93af71e3f0adfc44e168cb6583d

Download Submit
memory/4848-15-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4848-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4848-13-0x0000000001DE0000-0x0000000001F13000-memory.dmp

Filesize
1.2MB

Download
memory/4848-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4848-20-0x00000000056E0000-0x000000000590A000-memory.dmp

Filesize
2.2MB

Download
memory/4848-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/5012-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/5012-1-0x0000000001D20000-0x0000000001E53000-memory.dmp

Filesize
1.2MB

Download
memory/5012-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/5012-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download