Analysis Overview
SHA256
abfcaae1e6f7b625f4688110bf96be20f1d09817dc3cfb489bbba117705c229b
Threat Level: Known bad
The file 751fc385dcf3ad8c41c8d00215440661 was found to be: Known bad.
Malicious Activity Summary
Kinsing
Executes dropped EXE
Loads dropped DLL
UPX packed file
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:43
Reported
2024-01-25 17:46
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Omewefx\ytpiwuh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\{44DC88C8-9F79-5318-49DF-3CA026CD9040} = "C:\\Users\\Admin\\AppData\\Roaming\\Omewefx\\ytpiwuh.exe" | C:\Users\Admin\AppData\Roaming\Omewefx\ytpiwuh.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | C:\Windows\SysWOW64\cmd.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\370E14CE-00000001.eml:OECustomProperty | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe
"C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe"
C:\Users\Admin\AppData\Roaming\Omewefx\ytpiwuh.exe
"C:\Users\Admin\AppData\Roaming\Omewefx\ytpiwuh.exe"
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfe68d2f1.bat"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | ebayweekdeal4.com | udp |
Files
memory/1700-0-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1700-1-0x0000000000220000-0x0000000000234000-memory.dmp
memory/1700-2-0x0000000000400000-0x0000000000443000-memory.dmp
\Users\Admin\AppData\Roaming\Omewefx\ytpiwuh.exe
| MD5 | 1a22d08fb4e622f82bbe45f3c1b1eb2b |
| SHA1 | c6190c0d7409650d4c28dcd411b5b5bbca278f13 |
| SHA256 | 088466cc22a067bed625d012e88d0abfb4ab55da67f1c2928f4fd53018c56e88 |
| SHA512 | c25f10d69944ae9891c16360e8fc2fea1fb5f85076b370f178796537f01fb39c91a8012f5f75d10f98448c628c619aab49baba9a2527a439430a9f7761183e6e |
memory/1700-11-0x0000000002240000-0x0000000002283000-memory.dmp
memory/1060-13-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1144-16-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1144-18-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1144-20-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1144-24-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1144-22-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1220-34-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/1256-40-0x0000000002990000-0x00000000029B7000-memory.dmp
memory/1256-39-0x0000000002990000-0x00000000029B7000-memory.dmp
memory/1132-42-0x0000000001B50000-0x0000000001B77000-memory.dmp
memory/1132-44-0x0000000001B50000-0x0000000001B77000-memory.dmp
memory/1132-45-0x0000000001B50000-0x0000000001B77000-memory.dmp
memory/1700-55-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/1700-53-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/1700-51-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/1700-49-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/1700-47-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/1132-43-0x0000000001B50000-0x0000000001B77000-memory.dmp
memory/1256-38-0x0000000002990000-0x00000000029B7000-memory.dmp
memory/1256-37-0x0000000002990000-0x00000000029B7000-memory.dmp
memory/1220-32-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/1220-30-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/1220-28-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/1700-56-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-58-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-60-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-62-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-64-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-66-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-68-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-70-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-73-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-72-0x0000000077760000-0x0000000077761000-memory.dmp
memory/1700-75-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-77-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1700-143-0x0000000000260000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 21ed508ffac6c559b590e0fadaa7b446 |
| SHA1 | 0adfd57e5219a969eef415c7a423257b86c4cb7e |
| SHA256 | 026def5ec46acb55ddfeca12e3c80e89bf58441791892abbc967e3a6616fb7cb |
| SHA512 | 720f831b7c1de506048aa9f8c4aef8c418f36ded0c6974820116dfa480ce8aaeeeb5059775d63d8b3833150fa96b11682efd2637771faf21639f7a7b7f13577d |
C:\Users\Admin\AppData\Roaming\Eks\piyhze.mac
| MD5 | f93cbab54a0b827ed948744bdc0dffde |
| SHA1 | bcdd643aceee1c23ec34b66c7dbe4e9183f5971d |
| SHA256 | 69c340296247b38e1bcaf987190d60eb1a727a0f17c7abd3b13d6756018216f5 |
| SHA512 | f03446de6599e6994d91d67382cc0332f63b9fb2ce44cdc6fb22752efe02c690a6ad5dae945f6bf7c4a1dd14f033c2d093f3e0188c97990bba31e254abe9bf41 |
memory/1700-230-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2144-232-0x0000000000050000-0x0000000000077000-memory.dmp
memory/2144-248-0x0000000077760000-0x0000000077761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpfe68d2f1.bat
| MD5 | e458233b9430c8eae7d7e296bc014361 |
| SHA1 | a5751d5114d15a6c0eff86678821d292a1479d47 |
| SHA256 | 5cb9956293529bd37e28c7d4d56b3a79e3fc4663a5aa1a8ae56883feddedc1ac |
| SHA512 | 810616082e7a9773cddaccf081d9d348ae13844c298ee2b50b2d7a8d0025864c3dfa773ae776628c3a1c8d7ffb276139aa1a61b92c6b8755b253b01a315fa6c8 |
memory/2144-326-0x0000000000050000-0x0000000000077000-memory.dmp
memory/2144-327-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1060-325-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2144-351-0x00000000000F0000-0x00000000000F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:43
Reported
2024-01-25 17:46
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
92s
Command Line
Signatures
Kinsing
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe
"C:\Users\Admin\AppData\Local\Temp\751fc385dcf3ad8c41c8d00215440661.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 336
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/5056-0-0x0000000000400000-0x0000000000443000-memory.dmp
memory/5056-1-0x00000000005A0000-0x00000000005B4000-memory.dmp
memory/5056-2-0x0000000000400000-0x0000000000443000-memory.dmp