652dcfa352f97af40933db5d5c5c56b97875d0b0ffc877703d92413cb1f8aa63

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kiwi X External/Kiwi X External.dll.config
Size

1KB
MD5

0c6c99f46941beba3add94fc6be3a3ea
SHA1

f27c3f2e0624bb80225dc226720a52e9cef9d42a
SHA256

10d79a7eb0ca847d30c86c9fa73d3be399f6d9746c72021c1faf1453c85c6dc6
SHA512

eb1df682124d57ca04e3c4ef8158ec736d2795d740bbf66b509a8cba0fa3612943ca0742774cdad4b0807523b3e5246479965c0cc5929e86139c35583f48ea78

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2456	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2456	AcroRd32.exe
2456	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2456	2852	cmd.exe	29
PID 2852 wrote to memory of 2456	2852	cmd.exe	29
PID 2852 wrote to memory of 2456	2852	cmd.exe	29
PID 2852 wrote to memory of 2456	2852	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Kiwi X External\Kiwi X External.dll.config"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X External\Kiwi X External.dll.config"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1c3ce329e49f1552129252d893ce1f40

SHA1
7521fdbde02e0a82e0a8522cfe3ff233685957f8

SHA256
f7af80a79a335477df3c7146f273a47848883f8642994aff9d34243df951c166

SHA512
91fea5e52e1a3a69aece66bb5e9cfda7498dc6949c4d150ddf876acc50c00e0b9e98c36a70f2fda8068a4519e1f9e5c52d376e4c96806a6b9dfb8bb9c5e158c2

Download Submit