Overview
overview
8Static
static
3Kiwi X/DiscordRPC.dll
windows7-x64
1Kiwi X/DiscordRPC.dll
windows10-2004-x64
1Kiwi X/Kiw...er.exe
windows7-x64
8Kiwi X/Kiw...er.exe
windows10-2004-x64
8Kiwi X/KiwiAPI.dll
windows7-x64
1Kiwi X/KiwiAPI.dll
windows10-2004-x64
1Kiwi X/Mic...re.dll
windows7-x64
1Kiwi X/Mic...re.dll
windows10-2004-x64
1Kiwi X/Mic...ms.dll
windows7-x64
1Kiwi X/Mic...ms.dll
windows10-2004-x64
1Kiwi X/Mic...pf.dll
windows7-x64
1Kiwi X/Mic...pf.dll
windows10-2004-x64
1Kiwi X/Mon...o.html
windows7-x64
1Kiwi X/Mon...o.html
windows10-2004-x64
1Kiwi X/Mon...ain.js
windows7-x64
1Kiwi X/Mon...ain.js
windows10-2004-x64
1Kiwi X/Mon...bat.js
windows7-x64
1Kiwi X/Mon...bat.js
windows10-2004-x64
1Kiwi X/Mon...fee.js
windows7-x64
1Kiwi X/Mon...fee.js
windows10-2004-x64
1Kiwi X/Mon...cpp.js
windows7-x64
1Kiwi X/Mon...cpp.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Kiwi X/Mon...csp.js
windows7-x64
1Kiwi X/Mon...csp.js
windows10-2004-x64
1Kiwi X/Mon...css.js
windows7-x64
1Kiwi X/Mon...css.js
windows10-2004-x64
1Kiwi X/Mon...ile.js
windows7-x64
1Kiwi X/Mon...ile.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Analysis
-
max time kernel
0s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
Kiwi X/DiscordRPC.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kiwi X/DiscordRPC.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Kiwi X/KiwiAPI.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Kiwi X/KiwiAPI.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Kiwi X/Monaco/Monaco.html
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
Kiwi X/Monaco/Monaco.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win10v2004-20231222-en
General
-
Target
Kiwi X/Monaco/Monaco.html
-
Size
6KB
-
MD5
ec05dbe07ad593f3c4eccc68d22c4558
-
SHA1
7ab2bd63a8c0a421e27f2fa214c28ada9489a546
-
SHA256
c652c0edfd59d5644044049f723ad2d915685dfdb1ddf6841da498ca969eb12e
-
SHA512
df2e364a22b263e00133ba7e0e667a9db3a0fa5d3a6fac3c44a1c9d78ef4ba694b742eb04031e67c5d305c427efe11ca5c8fe89d9e5152f1b32ed4580dcae538
-
SSDEEP
192:wEod3PorvGym0Qp5keghKcCI2MCTJ3+NLSaPh/WCY/jt:ud3PoLTw5keghHwjt
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{749CDB91-AD94-11EE-A80E-FA7D6BB1EAA3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 624 iexplore.exe 624 iexplore.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 624 wrote to memory of 2616 624 iexplore.exe 17 PID 624 wrote to memory of 2616 624 iexplore.exe 17 PID 624 wrote to memory of 2616 624 iexplore.exe 17 PID 624 wrote to memory of 2616 624 iexplore.exe 17
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\Monaco.html"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:22⤵PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53b279d7ea7e06a3dde6f7848a111ffc1
SHA141718a22af13c580cdaef3867c44cd4474c1b993
SHA2561b27f2c74479d599a82b977b07a5fbdef31ff05c76f06ddb969181d0a3b9ac1d
SHA51273951f5a34f8083c35578274f06d0dc2ff8905dd51747d7b02d2d551a7e534454b40dab693e995c963de76bbd01b0d29754324acbf2ba217533323abf9e17885
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe8100db292e97cf68f8bf6bbebbc581
SHA191289c748c3821cba5301f7f58498d07662aec5e
SHA25655dc0c9be17d4f903675c4c6749e1b573bf0f21ae46110c453a028e2159546c3
SHA5127ae41f50f9cb8b2f6c2bb8ce9d92c89f0e4afdddb7ec7022f6d55c96cd1b5f85226e72e253dbbeedb5a7bc0272e6a32f5f383d3021cd9a447f58fe775b2f4495
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e749d3781045e7ffb89678918641022d
SHA1b84c39247e8c0dbd52d5488fd222bfa1a6e092a0
SHA2566a9e0d9f7d4ebfad222367397b0e585fa7f916640bb8fc1687c22790d2d9a9d0
SHA512c76a948bd450aed3d410200f867692028ef65f3dcf44ba04663cd1af3cdca39bb8383d094664f072ff3c3aba54350137417b7459f955bc6e3bbb28902799e952
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD528a0354eb20eb0555783ddd2445cf1e8
SHA1ac977ea965e22074fe22d48d2458e382cb80fb12
SHA256a7f619943eb977758caf6462b5b92e8fb35b38c810926f516ee7b9868fc0fa08
SHA5121b64b2429169d707e79fc7c2b9afd11c7a27c98f5e79660d9ea353da64b9787ba1f7d5e5f9ea5fdf2e1926a0113787cce0fdb48d2860572fed65d93f29daf3df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54b808fa0ea3542efee6690c9dfbdea1d
SHA1c884ec0f84f2df0a9d6c6a3b6f1f68c628bdd503
SHA2564de2f0edb37d4b36f468922f61d1b67bb2dc2a66a5227f5cca37ab4540669211
SHA5126475206520ae7882ccd76aad5af4a4512f567f6c44daaf0df4b3eab089cc838cc0a1973792d27afb4dcf3ed55d7e8fa8ef1c539a6fb138d9f1da8903615bf018
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5904a70520c6236f0e3702f6de7edde30
SHA18e0dccbd4a4bceb444a659722b049b3c3cdc5a9b
SHA256559491686e6b92de0d76a95f840c195404aa747392f0e2bef22e67789ee188c0
SHA51260e799b862a21684d424239e8abe68777b350ad653838a1029163075601c7eb042f4add03dfd37261e09f2cb1843e74666797d4812a17362cc17bc338bcee7bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1ee14918a64138a03ad7f2b3dd4c52e
SHA19aee53da566e837a3e9fa8315597bc584aca4a44
SHA256b3fc1f832d6ad117524cd448ee1624631d56a8f5778ffb897fdc4e9a08dcd9f0
SHA5125093e2f48bb33073dfdd7b0e60a32db5f9fff9a4e4e2abc5054750c4f600bc01d30e83c8eaf1b89c21731eb3473a79555f3cc6d285daf91bb2d524c4ff2380d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD548c08eb0458c75b18161d230557bc5c2
SHA10e50283e1bc0b5ab1cf53a3696750dcdb8608c47
SHA25625b8fb0f16c7e9ad0ee11ef8c4875e869d01a11bb0b5febd9f2d653a5355ba0c
SHA512275d2524a8524ef239f3090c097693bc87e061998984b3a26822d5ac46faa5727e364ac4f69365f9832f694c985fa6fa92e3e9dab87f571f8334c10e1671d4b2
-
Filesize
37KB
MD5ccfa6e58c7ee3b49209d37398c85b412
SHA1788f579102cb93fd6732fb2604e72480f22735db
SHA256412c82301757558027c5cb3ed1245a40d0a9063f583ecd2fdacf50f733c86b0d
SHA512c0137f7d51c9c1ca30f3690d26989db7f2fba64acf05594609518a169f243bfb06e8cbf461db6269e8c8123c8dfadb3d4717777adf1f2490d4b19b334510a813
-
Filesize
32KB
MD57f6ac87743b066ace85f254be96a78a9
SHA1a5e6bba4196862b1c02ea3d64d85aaac6eee37dd
SHA2569bf45ea7dae43d8bf21adee61d06fb74ce25b6808ae09d1eb289b4b4d732ba68
SHA512e8f61443c76b859c41e991d4d86f9f6184849cce5b156f29d212d0beaf9bf6e3505bfc1c3402b32e73dd6bfa20cf7ba475979b93107c3536e7d52cc7e2f4254b