Analysis

  • max time kernel
    150s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:44

General

  • Target

    75200e77fbdd79b413d51974e55051f1.exe

  • Size

    10KB

  • MD5

    75200e77fbdd79b413d51974e55051f1

  • SHA1

    7286e784b8e3326a1a632466af3a7155772509c6

  • SHA256

    039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b

  • SHA512

    04efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42

  • SSDEEP

    192:DIysA/4ZJDPuuxDQNQ2spwlqZif/R/J9a+GGzDR3dD+l2+D2Dg+:DIysAwZJWNNvVqZkRjNDDxdD+lBD2s+

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

  • Modifies AppInit DLL entries 2 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe
    "C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\mpacklk.exe
      C:\Windows\system32\mpacklk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:4856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe.bat
      2⤵
        PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe.bat

      Filesize

      182B

      MD5

      72553dd9a78803fb32a2bee2af797b0d

      SHA1

      598f05111b464b856e4c5e23a6fdacfe456f8d5e

      SHA256

      f687d0fdff9030790db398e737b1b94082c69243d039a19c8b6923a892a1ce38

      SHA512

      d8c3173aaa051a7393c2b200487dc46d26009056bffd9b5adc3937ddd834738b1f8e24c8ac88bddd37991b2b973e0f6eac2adf45483f4020f8b102d014cec43b

    • C:\Windows\SysWOW64\mpacklk.exe

      Filesize

      10KB

      MD5

      75200e77fbdd79b413d51974e55051f1

      SHA1

      7286e784b8e3326a1a632466af3a7155772509c6

      SHA256

      039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b

      SHA512

      04efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42

    • memory/4856-10-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/4892-0-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/4892-8-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB