Overview

overview

8

Static

static

kins_2.0.9.14.vir.exe

windows7_x64

8

kins_2.0.9.14.vir.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kins_2.0.9.14.vir

  • Size

    179KB

  • Sample

    200719-a86p9fvc1x

  • MD5

    b3edd03e637283abd1f82d979a4cc544

  • SHA1

    9f278dba9bced2e579e6b565951fb0410555afc9

  • SHA256

    4871a6de5ad98ba04f4e3180dcb21ed7d649f5ee74c086aac859005f09952520

  • SHA512

    d9e95ea8c172e125e998282bae004026be8f26b58da90329fb10ee4333dee57ba400cf9270a03e92115eb8ba78a00e16ad14c0f35dfbee30159c1a3ad74e83eb

Score
8/10
evasionpersistence

Malware Config

Targets

    • Target

      kins_2.0.9.14.vir

    • Size

      179KB

    • MD5

      b3edd03e637283abd1f82d979a4cc544

    • SHA1

      9f278dba9bced2e579e6b565951fb0410555afc9

    • SHA256

      4871a6de5ad98ba04f4e3180dcb21ed7d649f5ee74c086aac859005f09952520

    • SHA512

      d9e95ea8c172e125e998282bae004026be8f26b58da90329fb10ee4333dee57ba400cf9270a03e92115eb8ba78a00e16ad14c0f35dfbee30159c1a3ad74e83eb

    Score
    8/10
    persistenceevasion

    • Executes dropped EXE

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks