Analysis

  • max time kernel
    92s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:44

General

  • Target

    2024-01-25_2db203ba8871d47fec9c4f8079dcb8b6_mafia.exe

  • Size

    433KB

  • MD5

    2db203ba8871d47fec9c4f8079dcb8b6

  • SHA1

    58d74c2abe004faf8f27644db3e34d5942c2c0ba

  • SHA256

    fd130e26ebeb994c6f23162a37f4f91ecec4bf7aacb726a424b9377bd62716f8

  • SHA512

    2ab1a64381d9afafcf33fc51cd366b3bd69c8860a0448d44092db76d3efaeec0d887b4f3763e0971d5a3b9dfe210ea59a5d4019e10d2216c7dd91a090192a6cd

  • SSDEEP

    6144:Cajdz4sTdDyyqiOXpOd0p6Jiv+vtvx0apoN9CmqPx/CW9h22rshFZx5Q0YloHiKy:Ci4g+yU+0pAiv+MOCW1shFz5RIrn

Score
10/10

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_2db203ba8871d47fec9c4f8079dcb8b6_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_2db203ba8871d47fec9c4f8079dcb8b6_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\4798.tmp
      "C:\Users\Admin\AppData\Local\Temp\4798.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-25_2db203ba8871d47fec9c4f8079dcb8b6_mafia.exe 1BA3765297B8E0C047DCBABDCB05DBE5B7CA4552837FA08B96FC3B597EDB6742647D880ED730A1E446D726C97F2620478AC9C696917F08F211CE5FFB89C3B1A6
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4798.tmp

    Filesize

    260KB

    MD5

    48e9014ca8581ae159e96a694fd4e93e

    SHA1

    d38ec826197a67ba1e590f8372d913c8de4c000c

    SHA256

    fd0bb5d5436eac26de1b5962e00c07df06e56e8aab2ebfd1316e089398da9048

    SHA512

    d42c33bdfe930a15c9a71c4bf0a07e229b5c2ffb7d02100d2339ce1e51fafb96976c98e21539560261833cdecc2e62e6c45b8de5a0db873083f903e88955177a

  • C:\Users\Admin\AppData\Local\Temp\4798.tmp

    Filesize

    397KB

    MD5

    a1874aa449fe10dcd1cd3c49e3d8b871

    SHA1

    797b5fe1d615078800125024045b365844802fff

    SHA256

    892addec3a4593f72ea317fefa93390dc85509714df35afa5dad51199cda0b39

    SHA512

    ccc0fb34e8ad20ac163734d1912031a03dcd58a543baaf9ef0c829bc4102590b020615ea003e7f219e0fee86a3bb99657c0396842ab5cec091cde971498c8a2d