kinsing | cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752302309497646363f619488093f832.exe
Size

14KB
MD5

752302309497646363f619488093f832
SHA1

fc805f7582296a14ce8d40783822d3c19576484b
SHA256

cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b
SHA512

9dcd5f33cfbe39d5fcf9b217f444e751d28739fb5ccfbf05e82c544d3097f9f8fceb2099e9e4e3700935a8ec5a6683c950d374baaa32fed7c40c126727051858
SSDEEP

192:gtlcxmimwFXVW7Gc99Int6fN9NjU5cn6ck3BZvFE5nlf1Uriwzk7gvgjy9kG2:gjcWQlW7GcDmEfNcK2LvF0d6k0vAy93

Score

10^/10

kinsing discovery loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

unldrexe.exe

pid process

1120 unldrexe.exe
Executes dropped EXE 1 IoCs

Processes:

unldrexe.exe

pid process

1120 unldrexe.exe

pid	process
1120	unldrexe.exe

pid	process
1120	unldrexe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unldrexe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Unldrexe = "c:\\windows\\syswow64\\unldrexe.exe"	unldrexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unldrexe = "c:\\windows\\syswow64\\unldrexe.exe"	unldrexe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

752302309497646363f619488093f832.exe

description	ioc	process
File created	C:\Windows\SysWOW64\unldrexe.exe	752302309497646363f619488093f832.exe
File opened for modification	C:\Windows\SysWOW64\unldrexe.exe	752302309497646363f619488093f832.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

752302309497646363f619488093f832.exe

description	pid	process	target process
PID 4580 wrote to memory of 1120	4580	752302309497646363f619488093f832.exe	unldrexe.exe
PID 4580 wrote to memory of 1120	4580	752302309497646363f619488093f832.exe	unldrexe.exe
PID 4580 wrote to memory of 1120	4580	752302309497646363f619488093f832.exe	unldrexe.exe

C:\Users\Admin\AppData\Local\Temp\752302309497646363f619488093f832.exe
"C:\Users\Admin\AppData\Local\Temp\752302309497646363f619488093f832.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\unldrexe.exe
  C:\Windows\system32\unldrexe.exe 5EA1355FD8066C91 c:\users\admin\appdata\local\temp\752302309497646363f619488093f832.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unldrexe

Filesize
12B

MD5
733522a5c248f590cb8c1b4ae38c3f57

SHA1
77907861d7913185fc0797687910c7e448fef5c9

SHA256
0ae82f477ca958ee1b3955e7d4896ace87d1a153e633777537dab3bcf7f33204

SHA512
582e612c520e96439043e798f58021fd72be2a147d10079d1d4347c92ccd074f46657b64b209590265a15449f87a62c32cdc4275840ec9fa7215232aae53a3eb

Download Submit
C:\Windows\SysWOW64\unldrexe.exe

Filesize
14KB

MD5
752302309497646363f619488093f832

SHA1
fc805f7582296a14ce8d40783822d3c19576484b

SHA256
cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b

SHA512
9dcd5f33cfbe39d5fcf9b217f444e751d28739fb5ccfbf05e82c544d3097f9f8fceb2099e9e4e3700935a8ec5a6683c950d374baaa32fed7c40c126727051858

Download Submit
memory/1120-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4580-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4580-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download