Overview

overview

8

Static

static

kins_2.0.9.9.vir.exe

windows7_x64

8

kins_2.0.9.9.vir.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kins_2.0.9.9.vir

  • Size

    216KB

  • Sample

    200719-jcal378qd2

  • MD5

    b74cf245e3b7ee3efc4e6c987acf092d

  • SHA1

    ed02aef8f1f30f67a4e40acb60af0076061e362e

  • SHA256

    4dfd38dbb39f3ed69c713f601bc52b663a5cd08d37a2ececcbf8d54d8d179f05

  • SHA512

    27178f5a008669245cec97d7b901e580615b71d03ae64cf8b94eaaa9b9df95c646fea2b3a8770f358cd24ec1979ab66b58202f07bd0b2303f972a409a06ab40b

Score
8/10
evasionpersistence

Malware Config

Targets

    • Target

      kins_2.0.9.9.vir

    • Size

      216KB

    • MD5

      b74cf245e3b7ee3efc4e6c987acf092d

    • SHA1

      ed02aef8f1f30f67a4e40acb60af0076061e362e

    • SHA256

      4dfd38dbb39f3ed69c713f601bc52b663a5cd08d37a2ececcbf8d54d8d179f05

    • SHA512

      27178f5a008669245cec97d7b901e580615b71d03ae64cf8b94eaaa9b9df95c646fea2b3a8770f358cd24ec1979ab66b58202f07bd0b2303f972a409a06ab40b

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks