Malware Analysis Report

2024-10-23 21:10

Sample ID 240125-waeqnabhg5
Target 751f6956aee4614af075462893db4b3c
SHA256 057150f7726a767b9e8e52b4f86f86b77fbcbfe90b379a86656b51a278072c42
Tags
upx persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

057150f7726a767b9e8e52b4f86f86b77fbcbfe90b379a86656b51a278072c42

Threat Level: Known bad

The file 751f6956aee4614af075462893db4b3c was found to be: Known bad.

Malicious Activity Summary

upx persistence kinsing loader

Kinsing

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:42

Reported

2024-01-25 17:45

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\d6d4dfd8cec3cf95dec3de = "C:\\Users\\Admin\\cuxt.exe" C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe

"C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft14.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 app2.winsoft0.com udp
US 8.8.8.8:53 p2.winsoft3.com udp

Files

memory/2896-0-0x0000000002400000-0x0000000002487000-memory.dmp

memory/2896-1-0x0000000002400000-0x0000000002487000-memory.dmp

memory/2896-6-0x0000000002400000-0x0000000002487000-memory.dmp

memory/2896-7-0x0000000002400000-0x0000000002487000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:42

Reported

2024-01-25 17:45

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe"

Signatures

Kinsing

loader kinsing

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07050e091f121e440f120f = "C:\\Users\\Admin\\cuxt.exe" C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe

"C:\Users\Admin\AppData\Local\Temp\751f6956aee4614af075462893db4b3c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft14.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 app2.winsoft0.com udp
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 p2.winsoft3.com udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/3000-0-0x0000000002400000-0x0000000002487000-memory.dmp

memory/3000-1-0x0000000002400000-0x0000000002487000-memory.dmp

memory/3000-6-0x0000000002400000-0x0000000002487000-memory.dmp