Analysis

  • max time kernel
    120s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:47

General

  • Target

    752142f0f208d06c7e69ea8f8477d935.exe

  • Size

    12KB

  • MD5

    752142f0f208d06c7e69ea8f8477d935

  • SHA1

    9ea7b731ffa01945fe075cdc65c0af2114254e90

  • SHA256

    1f84244da87662b6d41a06813eb61555be431a309fc5c8c84ee73e6ed91bfe44

  • SHA512

    9a1e513b5bc94337e6217bc7bf039291ae689a74fdc2afd2d7cbd8e3b6af91f76a800c3d90a8cc14d398f9a28c4729631f2423c533b9fe9403e375f1de455ec9

  • SSDEEP

    384:1KmdoHf3Rep0AAGXAvj2T8dZsrSSQmf0A:Um2/NeXx8UrShm8A

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Kinsing

    Kinsing is a loader written in Golang.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\752142f0f208d06c7e69ea8f8477d935.exe
    "C:\Users\Admin\AppData\Local\Temp\752142f0f208d06c7e69ea8f8477d935.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BBBE.tmp.bat
      2⤵
        PID:4852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BBBE.tmp.bat

      Filesize

      179B

      MD5

      74571ded4f3d3243fddc14e570b670ef

      SHA1

      23e85f4f0aa7a8020a95eaa2f157742db1d7ea51

      SHA256

      225d5bc73c5b3c8539ce0950299278f57177dfd98e9292b025b5b69a2287ca31

      SHA512

      d18eb7b9d0a778272dbcfe159093362a397bfcb046ca3571cd8e66d9a3fa422a4e282d70cd83c51997fab7f6dc45bbcf9b7f3f12013ebc474d208fb36042b574

    • C:\Windows\SysWOW64\fsusdtd.tmp

      Filesize

      592KB

      MD5

      19e4442e12bdab054984248e6af60ba5

      SHA1

      ffc841bbefddd175495959e619363f32bf195639

      SHA256

      50a168082acb19cbde7800ee10b829b9668eef2c97b1d494edf31909c150eb17

      SHA512

      4cdcd1755b5da0190a4562cb35410474a41d0f760ddeef2770b1ae7c06b4cfa0d22bcd84f27d436dde98fa5a7a36c52a5447cb9f5b21b35f2199cb4d04381ab8

    • memory/4068-13-0x0000000020000000-0x0000000020008000-memory.dmp

      Filesize

      32KB

    • memory/4068-17-0x0000000020000000-0x0000000020008000-memory.dmp

      Filesize

      32KB