kinsing | e6bd419ac8863f37c0b92430c8b94b1d413b5809699683463917f3f8cd8faecc

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752136ab66c661a356a7dfe583a4e093.exe
Size

1.2MB
MD5

752136ab66c661a356a7dfe583a4e093
SHA1

9192374b0469ac82ec245b447fbd3606e162ffc9
SHA256

e6bd419ac8863f37c0b92430c8b94b1d413b5809699683463917f3f8cd8faecc
SHA512

a9629d4edea2259440743eb16d9654ccf885621ad032a59f2634c58cbbc5b68af2c33f04ed01ac88c09e7aac8894f60d919870bc71b3a9fa4bcb9d90010e7bd8
SSDEEP

24576:aGGn++MsJsATY9wouMGSkK2gp+R0JF2g6sI7kDJFcRgzGV0I6qWHpZzdaulDut:aj/MysATHpSkOziQ8B03qWJZzdVlDu

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

752136ab66c661a356a7dfe583a4e093.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	752136ab66c661a356a7dfe583a4e093.exe

Executes dropped EXE 2 IoCs

Processes:

casino.exeblocker.exe

pid process

6132 casino.exe
4388 blocker.exe
Loads dropped DLL 4 IoCs

Processes:

752136ab66c661a356a7dfe583a4e093.execasino.exe

pid process

6016 752136ab66c661a356a7dfe583a4e093.exe
6132 casino.exe
6132 casino.exe
6132 casino.exe

pid	process
6132	casino.exe
4388	blocker.exe

pid	process
6016	752136ab66c661a356a7dfe583a4e093.exe
6132	casino.exe
6132	casino.exe
6132	casino.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

752136ab66c661a356a7dfe583a4e093.exe

description	ioc	process
File opened (read-only)	\??\B:	752136ab66c661a356a7dfe583a4e093.exe
File opened (read-only)	\??\A:	752136ab66c661a356a7dfe583a4e093.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

752136ab66c661a356a7dfe583a4e093.exe

description	pid	process	target process
PID 6016 wrote to memory of 6132	6016	752136ab66c661a356a7dfe583a4e093.exe	casino.exe
PID 6016 wrote to memory of 6132	6016	752136ab66c661a356a7dfe583a4e093.exe	casino.exe
PID 6016 wrote to memory of 6132	6016	752136ab66c661a356a7dfe583a4e093.exe	casino.exe
PID 6016 wrote to memory of 4388	6016	752136ab66c661a356a7dfe583a4e093.exe	blocker.exe
PID 6016 wrote to memory of 4388	6016	752136ab66c661a356a7dfe583a4e093.exe	blocker.exe
PID 6016 wrote to memory of 4388	6016	752136ab66c661a356a7dfe583a4e093.exe	blocker.exe

C:\Users\Admin\AppData\Local\Temp\752136ab66c661a356a7dfe583a4e093.exe
"C:\Users\Admin\AppData\Local\Temp\752136ab66c661a356a7dfe583a4e093.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:6016

C:\casino\Golden Palace Casino\casino.exe
"C:\casino\Golden Palace Casino\casino.exe" /nosplash
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6132

C:\casino\Golden Palace Casino\blocker.exe
"C:\casino\Golden Palace Casino\blocker.exe" Golden Palace Casino
2⤵
- Executes dropped EXE
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~vis0000\English.vlg

Filesize
13KB

MD5
707e3b6418526ed6729deb4a1307f1f2

SHA1
521a175e2e18ad316c8fbf25aa35c35dbf449668

SHA256
75081f741b450b8049d3a0106121516745bba675681fb490e78b7978238258d5

SHA512
cbf15467cbd0797a8ec781ce8fcae416c9dd30db052e32c85aa717ec955e24f5592ab937c2f8b82e7cf862c09a4a5d767808b56000bf3942da58c457a3fbcc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\rollback.log

Filesize
251B

MD5
a4f958496101a7c5d2497f1867683a66

SHA1
e8e42b4b4c5567e1d4b7360dda1c4cb3b59ea436

SHA256
418a886b451b7c7360d861ec4649d5f356039685f1437ec0f32a0e7f5cae7da1

SHA512
cb6d31c7df0422b89bae1ea74b52795d253fbcad1964d7b67d2163efa6968627b786661ab98c8bf023fa30303a0cf04f93f8a8bd89af206292d375f6f5209f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\setuplog.txt

Filesize
481B

MD5
20ed8fc6aafeaeb08db80a716b374ee4

SHA1
43105cacb13f97f1c4dbabaeb19729cc76b853f7

SHA256
3025db584417f4e7e210757e44da9eb36bbdb30cc40dcfb37db2b24d5afa3e91

SHA512
81d7e2fcc02a5162a9a4ab271b4b17fc5b14d5365b1431c1ddf28067da554b844a61ea9eebe712cd9380f9fcad7384d90e48b2728d077dc674e3031b6da9d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\vise32ex.dll

Filesize
496KB

MD5
db798587868984eb838a71338f6ffe53

SHA1
c9fef0b8e6806137f29beb8c0eae04f1c5bb8c39

SHA256
6d4209a51dedb0aedcdfd5cbed6fc80dbc34b51cd1dc176d788f07b5cdf06642

SHA512
1e6f4ce4156693f9f9a8f70b8b9ff5080a27ac903929ae7aefd277c455d088aaf6b19ddc1edc131eb552eada877462829473885804df7f9246d412754d098c58

Download Submit
C:\casino\Golden Palace Casino\blocker.exe

Filesize
36KB

MD5
ef4020dae1e38ec388ecac6d13ba4dd0

SHA1
8b512ce38769a49ab54240004f8286706c6ed573

SHA256
3ff064f7fa28091da25b291f516cd6b6e46c7d5494f7e432c3b2f7f87b09aad1

SHA512
af2e657b99edfbd9994dd6ea251b8842b3d53fbb13ff69b0a448953d63240ff83ca59a3021caf065addcfbd0b0be3173760cb0d89739e08f44420faa70ae1392

Download Submit
C:\casino\Golden Palace Casino\casino.exe

Filesize
1.2MB

MD5
52452ebc3dfd8c8f9b5002a4ef27d154

SHA1
a87b3dc05f6ab77dd36ce914385cf7abe72fab30

SHA256
5d7e68583c8cee8036380b7cf99b38da0928c51ee264d4c5c8b561110a7251e8

SHA512
4276393a9765233050ad00081905853bf9d495c54a9b0e558555279e9d5e8f595f1bbb84f39f47ff3e81eeb27ce79a3c0ee25a917c20365abbffdc2d923628c1

Download Submit
C:\casino\Golden Palace Casino\directsounddriver.dll

Filesize
72KB

MD5
9ce36a7322e6f63d3a11eef0144e1a64

SHA1
9004a17f85254263234e9422cc16ca28e5df09cc

SHA256
1b9e8b71b9b4f57f65514191e3f60e9d12fdc854ca26375951120fc61baa5802

SHA512
5ac127fba09dcd6fd18c5038cb58e79f05a9d10ab98e489dbf3a207a4ead772a5019a3f53a1ca15e3b89dd5b195d56200115092f17e11c7806b3c7614a323c3d

Download Submit
C:\casino\Golden Palace Casino\fileinfo.dat

Filesize
19KB

MD5
2481c7295bc634056c24a2b6fb61b551

SHA1
bd3dbe8627ee805d7475082edb1e9ca4dc7722bb

SHA256
e892847193149caacb4f1c9ca0ed6de941453959a397b50b0e500f90aebdda10

SHA512
37524cfdcf7a9e79e37fb613ec8a58cb9d3ad46b2b5a98027a10d676bcd68adcd9a2553ed9ec439e9957f4b1aa30c9750caa4fd7b4482b1af6e5455b1b9b16c3

Download Submit
C:\casino\Golden Palace Casino\gdigraphdriver.dll

Filesize
84KB

MD5
6df1df1823f3ed801b49c3d21c2094c5

SHA1
074dfe579ddadb13f9c0e4f68b80eb08973e07b8

SHA256
55dbbef9c2c50c9ed7c60b0fef61b64963e894dac862ba2901ce85d940c57126

SHA512
73345c68a4649003e1497bee9d6a397270d523c2deef7170341fc3527c98c8739b19afb03a7f5d7a738aea1a7274fe51de26184b421b277bd8554fe296a21e7e

Download Submit
C:\casino\Golden Palace Casino\replacer.exe

Filesize
64KB

MD5
4c65763ea6207c7eb66523bfdabe2239

SHA1
9cd3ffc72ce8258d774fbb30187cb8d02a1dca09

SHA256
07e1de0755a3026fca2fb43d08aeaba486322b3c7deb08ec6f6d5ad1aed5bd46

SHA512
7bdb26e316f36fb27cf6d7f346a90d571e11633f8db89368bf8c5eedc07f24ed9995f5dedb0c4ab8ed83129dd9d586712c63fdf2d0c7a21d9c609c87d19ed2b3

Download Submit
C:\casino\Golden Palace Casino\wavesounddriver.dll

Filesize
60KB

MD5
2ebb346fb88ce0972768a0e333763467

SHA1
bff4bc5fa94ee24c43741e7c44f1e73c6815ef5f

SHA256
d79e63ce3e41d05c3fa8d34b11600b740e5249bc2dadece553b461daea586cdd

SHA512
8a4b0cd98db1641b5937ef5282895efd97d08477dcb30b0279c2df9dd24fa5e6c30d2af000dc21252fec8f379670d8d2d3746bced2c50636af1605975c93c20d

Download Submit
memory/6132-191-0x0000000003300000-0x0000000003313000-memory.dmp

Filesize
76KB

Download