Malware Analysis Report

2024-10-19 08:26

Sample ID 240125-wa1m5abhh4
Target 2024-01-25_21310de8491318d13f60ab90a082e518_mafia
SHA256 3b700349cbc4d267b6772b0d3c7ce232d68013a0868842c40e093a7c94b68b40
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b700349cbc4d267b6772b0d3c7ce232d68013a0868842c40e093a7c94b68b40

Threat Level: Known bad

The file 2024-01-25_21310de8491318d13f60ab90a082e518_mafia was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:43

Reported

2024-01-25 17:46

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\4A59.tmp

"C:\Users\Admin\AppData\Local\Temp\4A59.tmp" --pingC:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe C06B1BC18E76A9DCFC557F8A09A3F9AFF04DC1DC42CE3B6DA5CB1B956CDB8DCB645F32CCE4AC45A2C8ED5B5BFB2DE1584E284E1C8A1D9C6F53055F263E346B4F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\4A59.tmp

MD5 7b5b4ad12fc6806ef276c61f8b515889
SHA1 59c47437cf595e24227430e12cb50658ac4b1464
SHA256 dc854423056ba42ab3c94e89b1c50852728e69e0d46740e96a2c93ad8d46d971
SHA512 c4d05cf590cbffbcee49b8a5a22f9281b2926a93e369419dc36883e4ef2ea39f7e979fc713cff52b48ca6b25cebe0c24decffd4445b2851a05edb64a6fed2851

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:43

Reported

2024-01-25 17:46

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe"

Signatures

Kinsing

loader kinsing

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\A0D.tmp

"C:\Users\Admin\AppData\Local\Temp\A0D.tmp" --pingC:\Users\Admin\AppData\Local\Temp\2024-01-25_21310de8491318d13f60ab90a082e518_mafia.exe FE77976F7E9C26A212107EB6CCED419257B9EF14EC432AD672EAB77B3AA99C22FF60DAF1C63D70AE0E3A4B8A7D9618C43D4DEB7EDB1DDAE10FF644D3E5A775CA

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\A0D.tmp

MD5 77f4e34bb51ce8e16e266811d93c18ee
SHA1 9045f193ef78acaf3afca3b3f9126af5b25e5149
SHA256 a5288edabb82085272468640f36ae766e69c58be2d1f9432bdf68e620ed957e6
SHA512 22fce5fa45b9d0c52ad09b31d76532d542314ee5ab820dd52c4ef0ef15d242abaf5c783313d97eeb97480f670584ac8c5ceff4c3f074d64ff398923b439fd2c0