Overview
overview
8Static
static
3Kiwi X/DiscordRPC.dll
windows7-x64
1Kiwi X/DiscordRPC.dll
windows10-2004-x64
1Kiwi X/Kiw...er.exe
windows7-x64
8Kiwi X/Kiw...er.exe
windows10-2004-x64
8Kiwi X/KiwiAPI.dll
windows7-x64
1Kiwi X/KiwiAPI.dll
windows10-2004-x64
1Kiwi X/Mic...re.dll
windows7-x64
1Kiwi X/Mic...re.dll
windows10-2004-x64
1Kiwi X/Mic...ms.dll
windows7-x64
1Kiwi X/Mic...ms.dll
windows10-2004-x64
1Kiwi X/Mic...pf.dll
windows7-x64
1Kiwi X/Mic...pf.dll
windows10-2004-x64
1Kiwi X/Mon...o.html
windows7-x64
1Kiwi X/Mon...o.html
windows10-2004-x64
1Kiwi X/Mon...ain.js
windows7-x64
1Kiwi X/Mon...ain.js
windows10-2004-x64
1Kiwi X/Mon...bat.js
windows7-x64
1Kiwi X/Mon...bat.js
windows10-2004-x64
1Kiwi X/Mon...fee.js
windows7-x64
1Kiwi X/Mon...fee.js
windows10-2004-x64
1Kiwi X/Mon...cpp.js
windows7-x64
1Kiwi X/Mon...cpp.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Kiwi X/Mon...csp.js
windows7-x64
1Kiwi X/Mon...csp.js
windows10-2004-x64
1Kiwi X/Mon...css.js
windows7-x64
1Kiwi X/Mon...css.js
windows10-2004-x64
1Kiwi X/Mon...ile.js
windows7-x64
1Kiwi X/Mon...ile.js
windows10-2004-x64
1Kiwi X/Mon...arp.js
windows7-x64
1Kiwi X/Mon...arp.js
windows10-2004-x64
1Analysis
-
max time kernel
300s -
max time network
379s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
Kiwi X/DiscordRPC.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kiwi X/DiscordRPC.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Kiwi X/Kiwi X Bootstrapper.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Kiwi X/KiwiAPI.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Kiwi X/KiwiAPI.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Kiwi X/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Kiwi X/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
Kiwi X/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Kiwi X/Monaco/Monaco.html
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
Kiwi X/Monaco/Monaco.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
Kiwi X/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Kiwi X/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
Kiwi X/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
Kiwi X/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
Kiwi X/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
Kiwi X/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
Kiwi X/Monaco/vs/basic-languages/css/css.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
Kiwi X/Monaco/vs/basic-languages/dockerfile/dockerfile.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
Kiwi X/Monaco/vs/basic-languages/fsharp/fsharp.js
Resource
win10v2004-20231222-en
General
-
Target
Kiwi X/Kiwi X Bootstrapper.exe
-
Size
178KB
-
MD5
9f07ff71a41d0707a88c679aeead9bc1
-
SHA1
4c003b20f81fda703383c3751ac2bdeb41a57987
-
SHA256
4d819c0df101498676f943c688edcd812161be8e82fd2a1877b5690cd3679ca9
-
SHA512
c1537f0050fd22edcbd5e47bf4c13754a9126ebe897a2be42d45e302e1dbad2da69af0487a3d2eb373184ddb1c682dbef27ddef616faf5f0c19bd566ae767d62
-
SSDEEP
768:TIEJncjFwUuDtL1uogdqbYBKuv4+CdQpKEBy0lGtCvvApflHp+jEJOxCjZonIrjs:TmMmKzz3GMIh5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation Kiwi X Bootstrapper.exe -
Executes dropped EXE 1 IoCs
pid Process 1136 Kiwi X.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4620 Kiwi X Bootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4620 Kiwi X Bootstrapper.exe Token: SeDebugPrivilege 1136 Kiwi X.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4620 wrote to memory of 1136 4620 Kiwi X Bootstrapper.exe 95 PID 4620 wrote to memory of 1136 4620 Kiwi X Bootstrapper.exe 95 PID 4620 wrote to memory of 1136 4620 Kiwi X Bootstrapper.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_r0xbolx2byytzmmw2u1fc3xa1yugsbjn\1.1.0.0\user.config
Filesize310B
MD5fc4bddde3292e03d5586f62d92189b1b
SHA1ceeba68f267f5568b9b0766468724ff8b608d412
SHA256dc981b12d99456f4676ee1352af94da5292cd618b416aeedc8d8ba5a492c3e1b
SHA51294155fbd6e0f54fe282752d5cad19bf09c4835ce96a466a5a38bd7024ed1090d58ee672a0d5f09c918df2ee79c795c59ef79ca182213f78801cfc649760b3c73
-
C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_r0xbolx2byytzmmw2u1fc3xa1yugsbjn\1.1.0.0\user.config
Filesize416B
MD5d573b0eb98c6d04c74993871673fb128
SHA1d1bef264405318467a8d82e6a9a2de816cf85459
SHA256e38fe2de9ec915b66b5ba2f128fa3eea59d5b273abca60c999381f77d20779ad
SHA5122d384a40a630cbc2d78e6fc1f832438d898f9e81c4650836dad32caadd871aa0d633b47446609610802e1c16925e476a944f5eeedcb8940ed677ce7ad849dcd9
-
Filesize
1.6MB
MD565d850ea6249b29482fdf6441464c727
SHA1762c553b7f252a279f6a1a64c2375f2430905b34
SHA256a9a9c21344ee06e8386ddf606783dbcf9eff60533135875f38866eb5ae742c0e
SHA5123bbebf28d4ff730011e818af8721e663574d82ccc91b5941844c18806d55540c66b23f9621d20c8ee45db70f56b36faff97e59a928108224c4eedfb8e51898e8
-
Filesize
1.3MB
MD560da4a8f33288a5993378bb5130f7bfc
SHA1a4b36ffa98f89b8586fbf34312d5b9d60d472911
SHA2561268474ad20cbf8acfa048b9fccac866f1f9ff018f5cfd069049619936c8313f
SHA5121b4a889b60b522f6cc9010c4841383f8c2a8c18d0137c8ac406ac52f2a2b6580c8351a9512c8cd0f748b83b2052a5c73d791e4af9e753eb4a2925079627c6a6c
-
Filesize
1.7MB
MD5806998bb6f4fc3fe3f0beb390799f28b
SHA1445beca37ebd66c54f7eec9c296c6e28b1a9fe89
SHA25633dacaaf579d61d885605998835b3d9355d4d04d6b400ced1895a4583fa48787
SHA512145ff2d9e335a76fb72fe0f56f7e557b96aef4c313ae7858bb7248c1a82a92bab2bc1274750e9964c5a2db62790d7a4562c54118268774e80da8b1082f7c46c7