Overview
overview
8Static
static
3Kiwi X/DiscordRPC.dll
windows7-x64
1Kiwi X/DiscordRPC.dll
windows10-2004-x64
1Kiwi X/Kiw...er.exe
windows7-x64
8Kiwi X/Kiw...er.exe
windows10-2004-x64
8Kiwi X/KiwiAPI.dll
windows7-x64
1Kiwi X/KiwiAPI.dll
windows10-2004-x64
1Kiwi X/Mic...re.dll
windows7-x64
1Kiwi X/Mic...re.dll
windows10-2004-x64
1Kiwi X/Mic...ms.dll
windows7-x64
1Kiwi X/Mic...ms.dll
windows10-2004-x64
1Kiwi X/Mic...pf.dll
windows7-x64
1Kiwi X/Mic...pf.dll
windows10-2004-x64
1Kiwi X/Mon...o.html
windows7-x64
1Kiwi X/Mon...o.html
windows10-2004-x64
1Kiwi X/Mon...ain.js
windows7-x64
1Kiwi X/Mon...ain.js
windows10-2004-x64
1Kiwi X/Mon...bat.js
windows7-x64
1Kiwi X/Mon...bat.js
windows10-2004-x64
1Kiwi X/Mon...fee.js
windows7-x64
1Kiwi X/Mon...fee.js
windows10-2004-x64
1Kiwi X/Mon...cpp.js
windows7-x64
1Kiwi X/Mon...cpp.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Kiwi X/Mon...csp.js
windows7-x64
1Kiwi X/Mon...csp.js
windows10-2004-x64
1Kiwi X/Mon...css.js
windows7-x64
1Kiwi X/Mon...css.js
windows10-2004-x64
1Kiwi X/Mon...ile.js
windows7-x64
1Kiwi X/Mon...ile.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Analysis
-
max time kernel
124s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
Kiwi X/DiscordRPC.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kiwi X/DiscordRPC.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Kiwi X/KiwiAPI.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Kiwi X/KiwiAPI.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Kiwi X/Monaco/Monaco.html
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
Kiwi X/Monaco/Monaco.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win10v2004-20231222-en
General
-
Target
Kiwi X/Kiwi X Bootstrapper.exe
-
Size
178KB
-
MD5
9f07ff71a41d0707a88c679aeead9bc1
-
SHA1
4c003b20f81fda703383c3751ac2bdeb41a57987
-
SHA256
4d819c0df101498676f943c688edcd812161be8e82fd2a1877b5690cd3679ca9
-
SHA512
c1537f0050fd22edcbd5e47bf4c13754a9126ebe897a2be42d45e302e1dbad2da69af0487a3d2eb373184ddb1c682dbef27ddef616faf5f0c19bd566ae767d62
-
SSDEEP
768:TIEJncjFwUuDtL1uogdqbYBKuv4+CdQpKEBy0lGtCvvApflHp+jEJOxCjZonIrjs:TmMmKzz3GMIh5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2844 Kiwi X.exe -
Loads dropped DLL 1 IoCs
pid Process 1964 Kiwi X Bootstrapper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40943479a141da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000273c4525699204b786f7301a5ef1624d7eea2f6230cc15d26353fa04656dce75000000000e8000000002000020000000a9a07f248c1c0dc5a841f8354dccf680fcff8424b17d9ac23c74eb7ceadeff90200000001baeb3704fe1faac63bb0e4858a98de1872ec10d2d234c850652cd4d5e0696b44000000064599c6f1309f62a3729d96a1c914b2459d1fc47a16f6bc8532e941c1cbf7cc820ba152bee03dc4f02fad3b78780c8559c880abdd6c4d0b593d205bf2b6f693a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000000c687c311437b6d802c5e844cda53b190f32a561c790910954faeac353ebb21c000000000e800000000200002000000023e5895660fe379adcedbf4198b51ce58c96b0b602f63c64b32a971153457000900000004f58c6c4f247a14391febee89045e93e5535bd19308a44d1a57c905b7cbe50a1dd274b1cf7b19939507e2884d7ba6e2cb548105bae3bdea0b30075578d25734ed831e5a7a3c3fade11da48b9e4ef4f4fb91a6f9aafe9d059ce92dc9dd58ac87378c28209475003d6f255cf5982c2df88292f512d21000cc2ffc11a7285865d90bc7c304331ce9569b42ec35c5caff4024000000063931970dd30d6013fa1eabbe84d1cb4329d8645fad6815903323b4a321d4007d19e45739e3af91c97c479cd095170e2077ef90aec6c55a4564a413c2721685d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96FA1181-AD94-11EE-9240-46FAA8558A22} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410818293" iexplore.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Kiwi X Bootstrapper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Kiwi X Bootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Kiwi X Bootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Kiwi X Bootstrapper.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1964 Kiwi X Bootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1964 Kiwi X Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2008 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2008 iexplore.exe 2008 iexplore.exe 364 IEXPLORE.EXE 364 IEXPLORE.EXE 364 IEXPLORE.EXE 364 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2844 1964 Kiwi X Bootstrapper.exe 30 PID 1964 wrote to memory of 2844 1964 Kiwi X Bootstrapper.exe 30 PID 1964 wrote to memory of 2844 1964 Kiwi X Bootstrapper.exe 30 PID 1964 wrote to memory of 2844 1964 Kiwi X Bootstrapper.exe 30 PID 2844 wrote to memory of 2008 2844 Kiwi X.exe 31 PID 2844 wrote to memory of 2008 2844 Kiwi X.exe 31 PID 2844 wrote to memory of 2008 2844 Kiwi X.exe 31 PID 2844 wrote to memory of 2008 2844 Kiwi X.exe 31 PID 2008 wrote to memory of 364 2008 iexplore.exe 33 PID 2008 wrote to memory of 364 2008 iexplore.exe 33 PID 2008 wrote to memory of 364 2008 iexplore.exe 33 PID 2008 wrote to memory of 364 2008 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Kiwi X.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:364
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD573431ab9a8e183ac8d25a6391d858f66
SHA148c046ee3e9a97516c928ab6dcea30f7c040f174
SHA25666400c3c98936017c42bb263c5c96d9b0d4fc4a769c2abe0c4983673e939bc10
SHA5128160c13170ab9605be78d558c327f3ee59fa6ab58da4bd3f15003bcfba8de8851d4a8be7cc1ea8a6ae784297d5952474264f2b6904c16ae5f1d1e2688caa3996
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ac849740094477dfc8fc2cf4cd293a55
SHA1a2197eb1b2fe316eb46eed9e90c7894bbd536ed7
SHA256eb71422d28b2892344acdb123fe8b8c5c8b210535ab87c1a3f81725578805d0e
SHA512cb94651069aea957ea574ea06ee6a487df6528e9788958cc6a27daa811b963fe6e60df660e74b172a6bb26ed5df52cbb14364b8d361a0797cd032cb18cd93afb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5256981e9a44033048a0348ec5476f458
SHA109a54769d2c607b1da4c3d45b1d4a23fc4c28c71
SHA2566db7f3ef44d4a1aeaffb190e86817196a54881523978fa4ddd1efb7dbc43b234
SHA512e887686140466b65df093c41922853b50145c42fdea5209fe9d24cfc97bef672ac1af289d6379e6520314b312808280de4c742f0809eb93ce352b5e4c0134e7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe5a6e3db1df9ea643367da66fb751c7
SHA1e363ac3e2a79bdbce7952fd5080430f2d5b536d6
SHA25678f3bdaa6857d0e46ac35f4b1cdba13a8b9f6953ee0893645e9aa68a3e88d9ab
SHA51229281ba4900e7bf7a620fd6a43a90a2ba0e0d76d4d38ebecccb06f4928408c8e666891e34a1b74b8f283065def198a5a92ab8a4f6e241c9cccf8f4d757df99a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f72df1c57a4eba14782bacdd46e5715
SHA1635ba706442422fb5bec3bec186743f901b2d02a
SHA256061f9b0540ca25ad0e2ae7b5a3e8f407fe620cbf480271442b4323a95b635ac5
SHA5127f4367c6861e66a6ca24380913a86bef0147ec73f9bdf0360b9a600cd3eed3563524cea9114ebc93bac8733261e30bdcd7d7ee7a20433e1fccfa1fdafb24eabc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5715e821906678eaf33a3fe86c12aa81f
SHA1b1f3bf1cb7b5b05e53f42703e20d37dad5765052
SHA256771020fc1eeee03666ae59da55dcb35632f132f3080e8827d144c52e2d8eb089
SHA5128eea6bfc1291ee8beeff2c922d66bee3d49af830249a7ff064ef228c116fcb39cebce4e0f3c5229f8fac269a8b9504ce34babd6f0313e6c6193a017697676f67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50031dea252cb8f71342e53e458fa4314
SHA1ac9d60e9e43424dcd1fe8b82f008ce07dc1ac809
SHA2566de6bcc7b115daa2cf27524e9efb47cee40de917de522fb52bdcab4317cbe8af
SHA512b37ffd470bd384572e6daececac73a5e44e5e7e67f6034daedc45426b32efeb1201baa294aa06486e07b67821ff87faa3dcc9dc4502009eae363be4658250fa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55699a952cf22a79c99511d19ed435cd6
SHA1fac6987cef35329c1215c1041d60b06afaaf8fe2
SHA256bd7d3d954c5e2a51ab884d224273c9cbad61dcd83c771a49051a39a39fb9ba23
SHA512256bc846e1cb90cd16e50c61cd91126dfbba8e80fc038450b9bf7d70b6294e8f07fa060c011ee95c6e3d672d8b21d333a02907f053362b7c98435fe5902dc5b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c1b7bf84c736c437b1885c783f258725
SHA1a43f03c9ac260f677017d84d26409b94febcd31d
SHA2567c6585a4bc59a765fb38b2b1faa317ccc56571d7bd7c99cf2fa77ee18d7342b2
SHA512c0e122f7438711d6c9784c57de0051ac9ea4f07b41d4559c12fa9290b2d02a6ef50d64bf86c5eff3ce974f64409079b943db0be9019e9adfa98c33f467f255bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58926b4193cfda38c0e3b28ada853688e
SHA16e3597ada7c401a81c5016d01b79cd93cd55eaa6
SHA256d7c9f34c84263a327b20d33fd21aca7337efc345d1efeee4292844e7417d4459
SHA512edb908580f7c026d102450af07e940f3465e59d0dd188febfdbc0aa1b23a74b13a8ca9ca8fcc02fb16198165e90a105d627f981ff84d82fed560e598d26c4786
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e4c4c01dc82ef7d361e6f443fa556777
SHA13e704d1588dae6f3df1a80a4043812dd54be996c
SHA256f7880ff664b31cfd3287caeff47061b8ee568348be32e2be1731cecad5c078bc
SHA51280627e38fa2761777ec41c1f0257e11a06fb0be34cf2434f52f8d139d9e6bfaf0983d1707ceafe418021470ebea709b81292396b016e07eb1180621b2388292b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e21e43b888ca6e74220006277c40a6bd
SHA12c38a9007ffc6532d437e924de215191491d8728
SHA2564bbe47eb21e2128733ad2ef5330ac46e745110b853dc3fe0f7b0fd9ca0e0766b
SHA512ee236faeb824d1c6f9d8bd54a761e2ba289bb0e2d905591c2eec753350c158f9a27bba82177cf31bbd473b913b0ba5f545751b53fad38e54ad4425daa6f053e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD589781c994cec4820187827d8b5d15bb9
SHA1874b946dec02d576e814d09a183777d82e2e4f42
SHA256cff778a7956721354a42e7e241fb7ecabc23ee4bfcd8fe3fe4888e26b86b7a2b
SHA512d43653b249fc4408188c2f5b7841012e6973f7ac28f7ea10a6ed57cd8c2cef5350ff2c3d6a569c813fa19c9fea256f77e543d18a0ccdf6d7751ef1666d5256b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD505425709135c27d90a2c650d18e33424
SHA16f9cee60877910b80277513794e0baf3721db474
SHA256836403735d249fa6b422cc39cd60e691dd33d4c0794af9839a66684510285bc6
SHA512f47d782ea6e0aa31a2be4e43426bc6d2697f079848420a0a349f2c78273e4c7eac8b1ba97e9e76eed31da086854ef2a6472bc835a19d6ae95f8a975a212f0c5e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
64KB
MD5a79388c86107f67c2e6f808919c68641
SHA114bfb87ebb9bf909bbea47976633cb4974eecf99
SHA2567f2007e39a606f02c16b98324def593adda8d8429577ed23ce23aa9963d3a525
SHA5121651f722e0a01d5c829c0125a976d1955189d1eeaeebfb9f872e40d8b4bcbbc8c2cce2ee2348dbf3f3b36d2a3f5144d6f63b9be0b0fe53d1ffaeee4ee19eb127
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
80KB
MD5de88ad0947de836437a79726eaa6a853
SHA18963c3b9e0d302c1b0d269e524fc5f5c8e183c82
SHA256eab4fb4671d64139add76aa75d3cb40ea4baeb3d13755c0eff7622accf3b1de2
SHA51221872320a6f6ba5fe8cf97e70277bc7d401935ea4b603a7d1b3829587badb5ae44aed80bdcab48c527d2aec09e4a3d0e77cf584244887f4df5ccf356454ba2ab