kinsing | eca30714b87bd9011d86d9aa40d3f5886657d7de385db3483a321671e9eea05f

General

Target

75212d32ddf1685955ac36c06175a23c.exe
Size

3.6MB
MD5

75212d32ddf1685955ac36c06175a23c
SHA1

b2fee04a33c0ca2664100e2cd46c1a55c5fb788a
SHA256

eca30714b87bd9011d86d9aa40d3f5886657d7de385db3483a321671e9eea05f
SHA512

3a8d095abb1498b13084639804d03b94ecc14a5d283fe3298a5bf4e64b1b475cbc611cec60aaed099a43665be277c5ad4e096a8845ddd14d87cdaf53d1b58702
SSDEEP

49152:Q7/jkvCzRyOOlN3FXqDghbq4TTow+lsgVy1hySd/WF7kzIKAghbq4TTow+lsgp:QSCVyOO3FXvhTW81hynFoIAhTW5

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

pid process

4796 75212d32ddf1685955ac36c06175a23c.exe
Executes dropped EXE 1 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

pid process

4796 75212d32ddf1685955ac36c06175a23c.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 pastebin.com
21 pastebin.com

pid	process
4796	75212d32ddf1685955ac36c06175a23c.exe

pid	process
4796	75212d32ddf1685955ac36c06175a23c.exe

flow	ioc
20	pastebin.com
21	pastebin.com

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
808	2624	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
4368	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
4840	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
4168	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
448	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
3104	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
2888	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
3440	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
4068	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
1176	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
4132	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
2292	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
1208	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe
2592	4796	WerFault.exe	75212d32ddf1685955ac36c06175a23c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

pid process

4796 75212d32ddf1685955ac36c06175a23c.exe
4796 75212d32ddf1685955ac36c06175a23c.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

pid process

2624 75212d32ddf1685955ac36c06175a23c.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

pid process

4796 75212d32ddf1685955ac36c06175a23c.exe

pid	process
4796	75212d32ddf1685955ac36c06175a23c.exe
4796	75212d32ddf1685955ac36c06175a23c.exe

pid	process
2624	75212d32ddf1685955ac36c06175a23c.exe

pid	process
4796	75212d32ddf1685955ac36c06175a23c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

75212d32ddf1685955ac36c06175a23c.exe

description	pid	process	target process
PID 2624 wrote to memory of 4796	2624	75212d32ddf1685955ac36c06175a23c.exe	75212d32ddf1685955ac36c06175a23c.exe
PID 2624 wrote to memory of 4796	2624	75212d32ddf1685955ac36c06175a23c.exe	75212d32ddf1685955ac36c06175a23c.exe
PID 2624 wrote to memory of 4796	2624	75212d32ddf1685955ac36c06175a23c.exe	75212d32ddf1685955ac36c06175a23c.exe

C:\Users\Admin\AppData\Local\Temp\75212d32ddf1685955ac36c06175a23c.exe
"C:\Users\Admin\AppData\Local\Temp\75212d32ddf1685955ac36c06175a23c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 344
2⤵
- Program crash
PID:808

C:\Users\Admin\AppData\Local\Temp\75212d32ddf1685955ac36c06175a23c.exe
C:\Users\Admin\AppData\Local\Temp\75212d32ddf1685955ac36c06175a23c.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 208
3⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 628
3⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 628
3⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 628
3⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 728
3⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 896
3⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1408
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1476
3⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1652
3⤵
- Program crash
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1488
3⤵
- Program crash
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1764
3⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1496
3⤵
- Program crash
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 632
3⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2624 -ip 2624
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4796 -ip 4796
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4796 -ip 4796
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4796 -ip 4796
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4796 -ip 4796
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4796 -ip 4796
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4796 -ip 4796
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4796 -ip 4796
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4796 -ip 4796
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4796 -ip 4796
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4796 -ip 4796
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4796 -ip 4796
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4796 -ip 4796
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4796 -ip 4796
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75212d32ddf1685955ac36c06175a23c.exe

Filesize
3.6MB

MD5
12322cb7fa7b93c81cd9bab035e4223d

SHA1
7ca67feffb46532fae7965a3878dc0f4a13e7f85

SHA256
55f78c3a0f358744596e96f17d996dd9b81bba8d99dbcb8cff81f23083f40840

SHA512
c04b1d594c614bff366b3361899bb1ece7331ef8d46731eb99cd2d454e71b04ae2ce79cb4d778e3e4e2779775a60f09187a8714a12d80f5f3c1a69496ad58d86

Download Submit
memory/2624-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2624-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2624-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4796-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4796-9-0x0000000005080000-0x0000000005165000-memory.dmp

Filesize
916KB

Download
memory/4796-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4796-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-20-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing