kinsing | 59c34ab10c3ed2f66543503c63df63cc7afa45bdd867c37a2281eb363116fa22

Analysis

max time kernel
304s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-2.html
Size

15KB
MD5

01627150ea7deccb38d2733a9dc96c8a
SHA1

ed7e3087128c57c3756eef2737cccf5064ebdd54
SHA256

61e4b36529a542d601b972729047126ee42ce0bc43090656ab9dfd2746e5a31b
SHA512

c033b2fb1332c3c4342788bfe3ab34c12ee9859f8348d55cfbe020128a51a8351542b0d80fcfa368568eaefa8636aaf1a159bb29804ce9562b87e46e59821b6f
SSDEEP

192:X9+qJPa+X2C9xuzIpYrVignH5hTd7vdwzk2usk9Z+dKAu:xJPZX2wxuL8ChTdBwTusUfN

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506788569528880"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1784 chrome.exe
1784 chrome.exe
3188 chrome.exe
3188 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1784 chrome.exe
1784 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1784 wrote to memory of 1104	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1104	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1076	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1012	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1012	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2516	1784	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5a829758,0x7ffb5a829768,0x7ffb5a829778
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:2
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4204 --field-trial-handle=1900,i,1554178739529458513,6650154925906523881,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a92dbd074ea75dcf3c6196c0221cc4af

SHA1
26ff98335289e60ec5cda6be518888e046366460

SHA256
b8b351a3c2cbae81a728bfa1814480df3ea94c70214cf54619993e5d84f065f0

SHA512
efd9dac40f58debea864ca5f00356ca327ab4783994718e95d954e4b191b6f09f48bc49af6b34d89dac904c9e6ca923e05548a9f25a013fe6e08eb97d0d9f1ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d77de87f51ec6aeb049c8a325c498455

SHA1
bb0c3a80170514282f9ec9f3b0ef0cabdfb4616a

SHA256
74b6a42458fcc54b87766f15ac21009d3965b39c31953088b579e18aa1f8bf7d

SHA512
f8632a463cee0c753a7387eb0402cef5ab4e868313723ec40319e3a02ef33cc169e9bcd05307e1a4dd34f4893aeb2ac278454298092f3275f9b858626f8505e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cfe695504aea879570f3d6efb57b736d

SHA1
f8f34814c0649bf3f5f1a3e1fc0b5da0d96b597d

SHA256
d3b5a52a8590c5952a02cdfe500755c3e871d26be116dfec3b55780e769eaf15

SHA512
d56211ed44bcacf9055ef6bc8ecbec178f61fc843caec7657d62714be05f29c2fffee2b247169d541dbccf8ac0027eea6f803e139c22e6f4dc1f82d6d08f5351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
cb0d563fcb4dac40f0743f0cc3cafd09

SHA1
5076715a9f0e10acfa64506fdd1a1753e8e53644

SHA256
5383d1225e81a55a8222a9a15860c748df41aae9ef1b8552d4a71199a69fde8f

SHA512
daa32a3d16684fe92b1a5b9b09f7be4eb1b5f0520c7bb83ad27147aa2f5bb84d1f2a51949f65de4c95d3f90632e222c87c0fa34be5f7a6b7f552c914bb98368a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1784_ULNMXVPCPMLMRSPA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit