Malware Analysis Report

2024-10-19 08:26

Sample ID 240125-wbg76scaa2
Target 7520300cb3727b7a4a3576dcf611d52b
SHA256 6cc955a94103a3a92f1ca35a717a24edf2e08d0b6a6352f63e45aa786d8990b1
Tags
upx kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cc955a94103a3a92f1ca35a717a24edf2e08d0b6a6352f63e45aa786d8990b1

Threat Level: Known bad

The file 7520300cb3727b7a4a3576dcf611d52b was found to be: Known bad.

Malicious Activity Summary

upx kinsing loader

Kinsing

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:47

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

"C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe"

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2440-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2440-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2440-2-0x00000000002B0000-0x00000000003E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

MD5 4f31b22190811d4d5d991cdf29927b24
SHA1 c93763a4bcdff3c888aa853a168a3feb2217e6e2
SHA256 66601277efc850107a02b008ec323937f1c4803f6b8f706e2aedb6cc222e923a
SHA512 8f00bfde67083be02e3b7dfc2993369d7170733bd590879f1a485678283c4544f828ccf5cc35d7dd9002aa1cafa207457b27af548374fa5e179b010cc05fb44a

memory/2440-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1404-16-0x0000000000400000-0x00000000008E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

MD5 5ad790da2c4680cb41fdf477fbf80abc
SHA1 753f7a3f0c1560b602c9dae2fbb50db2a6cde705
SHA256 a874b07129433188f03067da64fed62bdf2c0afe7c62ec7192c2a5257a1b04eb
SHA512 0ef53e96f78e0b07c8828391cc55091b64af69be32487613947943d0130ca6ecba5ab7b00672e9bd4e928dcfdedf2eb12d8a5ef0c0e5a98c9ff9486e1288ae97

memory/2440-13-0x0000000003380000-0x0000000003867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

MD5 4cc68117fd479c8cb3d12f2bc95a6da0
SHA1 e308bc0934185f4fb9fdd69fbd78684ec72c98b4
SHA256 fc017d1038b9b61a3681c54f7615d62d960e8ffc04640c58c8cabc44ea121f82
SHA512 06396c35e6f1023060539c5c0cb503f19481cb6b58ff58b45591cf92ae783e9f0fabc8ae7ff74db5ef6370729d8ee697b1c22bbee1050289c5d5134d38dfcb14

memory/1404-17-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1404-18-0x0000000000230000-0x0000000000361000-memory.dmp

memory/1404-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1404-24-0x0000000003630000-0x0000000003852000-memory.dmp

memory/2440-31-0x0000000003380000-0x0000000003867000-memory.dmp

memory/1404-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:47

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe"

Signatures

Kinsing

loader kinsing

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

"C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe"

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/1448-1-0x0000000001CF0000-0x0000000001E21000-memory.dmp

memory/1448-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1448-2-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1448-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3208-15-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3208-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3208-13-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/3208-21-0x0000000005560000-0x0000000005782000-memory.dmp

memory/3208-20-0x0000000000400000-0x0000000000616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7520300cb3727b7a4a3576dcf611d52b.exe

MD5 d56afb40c92f1529be0d481ff807f4cd
SHA1 cd9a39eb2a68006731f5d452e8e2118053cc7e51
SHA256 c5c4c84195d2f6386165347aa698b720f832f8dd9d0db390040e7848c18f4e15
SHA512 ab78d6fe59999b292d490a89a4974d718277a5727ce2a99cea3532655a0195cd953c30f0fe6429ccc3f226cf21b777dcd89c2ee481a8d5172f6e6fdb496be92d

memory/3208-28-0x0000000000400000-0x00000000008E7000-memory.dmp