kinsing | 3be80cfa604086072f7763041a1324bce517f90d67d401c81a8297ed60699f99

General

Target

75223dcf04ed991c3c6285b3a8fcfeb9.exe
Size

143KB
MD5

75223dcf04ed991c3c6285b3a8fcfeb9
SHA1

3e829e04b2b5e0dec8deb30b03de94771894a09d
SHA256

3be80cfa604086072f7763041a1324bce517f90d67d401c81a8297ed60699f99
SHA512

79263f738fb2e2b0d293d8a6ea53f381afaade88688b21144239bb0be6730c632089b11d8b87c6a813bff5cf53e67537b7723bc9df7d30848315903a81e5a1c0
SSDEEP

3072:XJqmWJGq7dW9p6ra8cWaBCFW4fFFrdEMPXgbnVfAW3hpSt:smmdUv8cWaBCFW4tZ+kXgbnGKpS

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75223dcf04ed991c3c6285b3a8fcfeb9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	75223dcf04ed991c3c6285b3a8fcfeb9.exe

Loads dropped DLL 2 IoCs

Processes:

75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exe

pid process

4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe
916 cmd.exe
Drops file in System32 directory 1 IoCs

Processes:

75223dcf04ed991c3c6285b3a8fcfeb9.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\ddoddump.dll 75223dcf04ed991c3c6285b3a8fcfeb9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3368 4804 WerFault.exe 75223dcf04ed991c3c6285b3a8fcfeb9.exe
5104 916 WerFault.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

75223dcf04ed991c3c6285b3a8fcfeb9.exe

pid process

4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe
4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe

pid	process
4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe
916	cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ddoddump.dll	75223dcf04ed991c3c6285b3a8fcfeb9.exe

pid	pid_target	process	target process
3368	4804	WerFault.exe	75223dcf04ed991c3c6285b3a8fcfeb9.exe
5104	916	WerFault.exe	cmd.exe

pid	process
4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe
4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 3392	4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe	Explorer.EXE
PID 4804 wrote to memory of 916	4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe	cmd.exe
PID 4804 wrote to memory of 916	4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe	cmd.exe
PID 4804 wrote to memory of 916	4804	75223dcf04ed991c3c6285b3a8fcfeb9.exe	cmd.exe
PID 916 wrote to memory of 4924	916	cmd.exe	attrib.exe
PID 916 wrote to memory of 4924	916	cmd.exe	attrib.exe
PID 916 wrote to memory of 4924	916	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4924 attrib.exe

pid	process
4924	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe
  "C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240611437.bat" "C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"
      4⤵
      Views/modifies file attributes
      PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 524
      4⤵
      Program crash
      PID:5104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1280
    3⤵
    - Program crash
    PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 4804
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 916 -ip 916
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240611437.bat

Filesize
69B

MD5
604802586163bdc9eda42f6a471e01ad

SHA1
fc255017a78e3ec103f73c8c8651effe08089c81

SHA256
02f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3

SHA512
66dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888

Download Submit
C:\Windows\SysWOW64\ddoddump.dll

Filesize
63KB

MD5
e0fd7f29011e26683fee67b52232905a

SHA1
e0c9ccbe79539a0287b6ebce858870af0ce7c8ff

SHA256
38328718c33c7e60a738cd8f79c78f48791f0e76d6dcf6babc69c3b5fc71e2d1

SHA512
b0c2e07aa00e85d2b74e299f24236097aff8a359d7a21496c8ee7b1926ba67d2f758daf11cba7b81ca4ce158d61bffda1536d8d9a476d451469595d48a76e29f

Download Submit
memory/916-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4804-0-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download
memory/4804-8-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4804-9-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing