Analysis

  • max time kernel
    124s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:36

General

  • Target

    Kiwi X/Kiwi X Bootstrapper.exe

  • Size

    178KB

  • MD5

    9f07ff71a41d0707a88c679aeead9bc1

  • SHA1

    4c003b20f81fda703383c3751ac2bdeb41a57987

  • SHA256

    4d819c0df101498676f943c688edcd812161be8e82fd2a1877b5690cd3679ca9

  • SHA512

    c1537f0050fd22edcbd5e47bf4c13754a9126ebe897a2be42d45e302e1dbad2da69af0487a3d2eb373184ddb1c682dbef27ddef616faf5f0c19bd566ae767d62

  • SSDEEP

    768:TIEJncjFwUuDtL1uogdqbYBKuv4+CdQpKEBy0lGtCvvApflHp+jEJOxCjZonIrjs:TmMmKzz3GMIh5

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe
      "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Kiwi X.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:364

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          73431ab9a8e183ac8d25a6391d858f66

          SHA1

          48c046ee3e9a97516c928ab6dcea30f7c040f174

          SHA256

          66400c3c98936017c42bb263c5c96d9b0d4fc4a769c2abe0c4983673e939bc10

          SHA512

          8160c13170ab9605be78d558c327f3ee59fa6ab58da4bd3f15003bcfba8de8851d4a8be7cc1ea8a6ae784297d5952474264f2b6904c16ae5f1d1e2688caa3996

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          ac849740094477dfc8fc2cf4cd293a55

          SHA1

          a2197eb1b2fe316eb46eed9e90c7894bbd536ed7

          SHA256

          eb71422d28b2892344acdb123fe8b8c5c8b210535ab87c1a3f81725578805d0e

          SHA512

          cb94651069aea957ea574ea06ee6a487df6528e9788958cc6a27daa811b963fe6e60df660e74b172a6bb26ed5df52cbb14364b8d361a0797cd032cb18cd93afb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          256981e9a44033048a0348ec5476f458

          SHA1

          09a54769d2c607b1da4c3d45b1d4a23fc4c28c71

          SHA256

          6db7f3ef44d4a1aeaffb190e86817196a54881523978fa4ddd1efb7dbc43b234

          SHA512

          e887686140466b65df093c41922853b50145c42fdea5209fe9d24cfc97bef672ac1af289d6379e6520314b312808280de4c742f0809eb93ce352b5e4c0134e7d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          fe5a6e3db1df9ea643367da66fb751c7

          SHA1

          e363ac3e2a79bdbce7952fd5080430f2d5b536d6

          SHA256

          78f3bdaa6857d0e46ac35f4b1cdba13a8b9f6953ee0893645e9aa68a3e88d9ab

          SHA512

          29281ba4900e7bf7a620fd6a43a90a2ba0e0d76d4d38ebecccb06f4928408c8e666891e34a1b74b8f283065def198a5a92ab8a4f6e241c9cccf8f4d757df99a0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6f72df1c57a4eba14782bacdd46e5715

          SHA1

          635ba706442422fb5bec3bec186743f901b2d02a

          SHA256

          061f9b0540ca25ad0e2ae7b5a3e8f407fe620cbf480271442b4323a95b635ac5

          SHA512

          7f4367c6861e66a6ca24380913a86bef0147ec73f9bdf0360b9a600cd3eed3563524cea9114ebc93bac8733261e30bdcd7d7ee7a20433e1fccfa1fdafb24eabc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          715e821906678eaf33a3fe86c12aa81f

          SHA1

          b1f3bf1cb7b5b05e53f42703e20d37dad5765052

          SHA256

          771020fc1eeee03666ae59da55dcb35632f132f3080e8827d144c52e2d8eb089

          SHA512

          8eea6bfc1291ee8beeff2c922d66bee3d49af830249a7ff064ef228c116fcb39cebce4e0f3c5229f8fac269a8b9504ce34babd6f0313e6c6193a017697676f67

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          0031dea252cb8f71342e53e458fa4314

          SHA1

          ac9d60e9e43424dcd1fe8b82f008ce07dc1ac809

          SHA256

          6de6bcc7b115daa2cf27524e9efb47cee40de917de522fb52bdcab4317cbe8af

          SHA512

          b37ffd470bd384572e6daececac73a5e44e5e7e67f6034daedc45426b32efeb1201baa294aa06486e07b67821ff87faa3dcc9dc4502009eae363be4658250fa3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          5699a952cf22a79c99511d19ed435cd6

          SHA1

          fac6987cef35329c1215c1041d60b06afaaf8fe2

          SHA256

          bd7d3d954c5e2a51ab884d224273c9cbad61dcd83c771a49051a39a39fb9ba23

          SHA512

          256bc846e1cb90cd16e50c61cd91126dfbba8e80fc038450b9bf7d70b6294e8f07fa060c011ee95c6e3d672d8b21d333a02907f053362b7c98435fe5902dc5b2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          c1b7bf84c736c437b1885c783f258725

          SHA1

          a43f03c9ac260f677017d84d26409b94febcd31d

          SHA256

          7c6585a4bc59a765fb38b2b1faa317ccc56571d7bd7c99cf2fa77ee18d7342b2

          SHA512

          c0e122f7438711d6c9784c57de0051ac9ea4f07b41d4559c12fa9290b2d02a6ef50d64bf86c5eff3ce974f64409079b943db0be9019e9adfa98c33f467f255bb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8926b4193cfda38c0e3b28ada853688e

          SHA1

          6e3597ada7c401a81c5016d01b79cd93cd55eaa6

          SHA256

          d7c9f34c84263a327b20d33fd21aca7337efc345d1efeee4292844e7417d4459

          SHA512

          edb908580f7c026d102450af07e940f3465e59d0dd188febfdbc0aa1b23a74b13a8ca9ca8fcc02fb16198165e90a105d627f981ff84d82fed560e598d26c4786

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e4c4c01dc82ef7d361e6f443fa556777

          SHA1

          3e704d1588dae6f3df1a80a4043812dd54be996c

          SHA256

          f7880ff664b31cfd3287caeff47061b8ee568348be32e2be1731cecad5c078bc

          SHA512

          80627e38fa2761777ec41c1f0257e11a06fb0be34cf2434f52f8d139d9e6bfaf0983d1707ceafe418021470ebea709b81292396b016e07eb1180621b2388292b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e21e43b888ca6e74220006277c40a6bd

          SHA1

          2c38a9007ffc6532d437e924de215191491d8728

          SHA256

          4bbe47eb21e2128733ad2ef5330ac46e745110b853dc3fe0f7b0fd9ca0e0766b

          SHA512

          ee236faeb824d1c6f9d8bd54a761e2ba289bb0e2d905591c2eec753350c158f9a27bba82177cf31bbd473b913b0ba5f545751b53fad38e54ad4425daa6f053e9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          89781c994cec4820187827d8b5d15bb9

          SHA1

          874b946dec02d576e814d09a183777d82e2e4f42

          SHA256

          cff778a7956721354a42e7e241fb7ecabc23ee4bfcd8fe3fe4888e26b86b7a2b

          SHA512

          d43653b249fc4408188c2f5b7841012e6973f7ac28f7ea10a6ed57cd8c2cef5350ff2c3d6a569c813fa19c9fea256f77e543d18a0ccdf6d7751ef1666d5256b6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          05425709135c27d90a2c650d18e33424

          SHA1

          6f9cee60877910b80277513794e0baf3721db474

          SHA256

          836403735d249fa6b422cc39cd60e691dd33d4c0794af9839a66684510285bc6

          SHA512

          f47d782ea6e0aa31a2be4e43426bc6d2697f079848420a0a349f2c78273e4c7eac8b1ba97e9e76eed31da086854ef2a6472bc835a19d6ae95f8a975a212f0c5e

        • C:\Users\Admin\AppData\Local\Temp\CabEE47.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

          Filesize

          64KB

          MD5

          a79388c86107f67c2e6f808919c68641

          SHA1

          14bfb87ebb9bf909bbea47976633cb4974eecf99

          SHA256

          7f2007e39a606f02c16b98324def593adda8d8429577ed23ce23aa9963d3a525

          SHA512

          1651f722e0a01d5c829c0125a976d1955189d1eeaeebfb9f872e40d8b4bcbbc8c2cce2ee2348dbf3f3b36d2a3f5144d6f63b9be0b0fe53d1ffaeee4ee19eb127

        • C:\Users\Admin\AppData\Local\Temp\TarEEA8.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • \Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

          Filesize

          80KB

          MD5

          de88ad0947de836437a79726eaa6a853

          SHA1

          8963c3b9e0d302c1b0d269e524fc5f5c8e183c82

          SHA256

          eab4fb4671d64139add76aa75d3cb40ea4baeb3d13755c0eff7622accf3b1de2

          SHA512

          21872320a6f6ba5fe8cf97e70277bc7d401935ea4b603a7d1b3829587badb5ae44aed80bdcab48c527d2aec09e4a3d0e77cf584244887f4df5ccf356454ba2ab

        • memory/1964-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

        • memory/1964-3-0x0000000004CF0000-0x0000000004D30000-memory.dmp

          Filesize

          256KB

        • memory/1964-44-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

        • memory/1964-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

        • memory/1964-0-0x0000000000D90000-0x0000000000DC2000-memory.dmp

          Filesize

          200KB