Analysis
-
max time kernel
57s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
Kiwi X Executor.exe
Resource
win11-20241007-en
General
-
Target
Kiwi X Executor.exe
-
Size
1.6MB
-
MD5
1f0681ba18a05929f9db7ed7dbaf2f61
-
SHA1
98ee7fc0ab702121f3bd9084a01dd1d176837cd6
-
SHA256
8b717718ee4855074bda41bed7366d5139a05ffc04978b36319e6ec55164f08e
-
SHA512
1c268d9a4fb5ff7ae7710f586a27943e3e2d6c3f1af32f9e9fd8ae843fc0cd7a6805f4b9d9f790263464657cdada0693caf0b2b3c39c4b09bb0165bb54e3a524
-
SSDEEP
24576:gawwKusHwEwS2DGqKFOkKzO6I6h6gEGe/NIsWvMyCShxE3:wwRED7pShv2NuMsE3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2852 Kiwi X Executor.tmp -
Loads dropped DLL 1 IoCs
pid Process 2852 Kiwi X Executor.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Setup\is-1D3RS.tmp Kiwi X Executor.tmp File opened for modification C:\Program Files (x86)\Setup\unins000.dat Kiwi X Executor.tmp File created C:\Program Files (x86)\Setup\unins000.dat Kiwi X Executor.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiwi X Executor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiwi X Executor.tmp -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2396 msedge.exe 2396 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2852 Kiwi X Executor.tmp 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4168 wrote to memory of 2852 4168 Kiwi X Executor.exe 79 PID 4168 wrote to memory of 2852 4168 Kiwi X Executor.exe 79 PID 4168 wrote to memory of 2852 4168 Kiwi X Executor.exe 79 PID 2852 wrote to memory of 1932 2852 Kiwi X Executor.tmp 80 PID 2852 wrote to memory of 1932 2852 Kiwi X Executor.tmp 80 PID 1932 wrote to memory of 4408 1932 msedge.exe 81 PID 1932 wrote to memory of 4408 1932 msedge.exe 81 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2480 1932 msedge.exe 82 PID 1932 wrote to memory of 2396 1932 msedge.exe 83 PID 1932 wrote to memory of 2396 1932 msedge.exe 83 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84 PID 1932 wrote to memory of 4600 1932 msedge.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe"C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\is-QSMAA.tmp\Kiwi X Executor.tmp"C:\Users\Admin\AppData\Local\Temp\is-QSMAA.tmp\Kiwi X Executor.tmp" /SL5="$700DC,865850,776192,C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sheettail.sbs/tracker/thank_you.php?trk=27723⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc597d3cb8,0x7ffc597d3cc8,0x7ffc597d3cd84⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2052 /prefetch:24⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:1640
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2504
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3916
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3916
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD57c16e365f1a457d84da9f32a15e9dd8a
SHA1103328c4c2831307e9f018efc7de1bc1f928c08e
SHA256090d681814adcd1334a98d44d42d3be2f694eb3ff701d5a4c0263546d92ded6b
SHA512895f6b1708bbe1b1a13ebb1cb2bd78d470ea5780952b5b0ca491b6e1b488abb5336f7528a33ce0faafc39d36be5468afd9260f33c5afad39ba21fae09dec27b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD51a77f9689960ee47c4de9bd0f616483d
SHA198080c815e61ede94e5eec6cd9a53ed64582c499
SHA256314760173842f625710a8f7d9e4fdc9f03f7e91b2db52bb15e04ee53531b2da4
SHA51282e2d9b44dd359a32d4d679f1c176bdf1efd44a4e59a692e756210beb87ddde41d0d5ff30f06aa51fdedca8c32b4359d63d88ba1273309fe2daffc860442728b
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
554B
MD5b697800c2138d1064738e1db7de894c2
SHA12acd1c92cc619cf45294590e2f365edf32616991
SHA25676b1043da1c8020ff3be8a0b05345201a078b1959eb4d3cf9384b79b78da1fc1
SHA512e6c66f5ace0975197d717ecdb87c541b438695ff8a7a348b2b65a6775b3fc8214b8cf97a2bf2e87bd56ef9633c13fa71b94bae8b6748b3333e4af7007b62c7fd
-
Filesize
5KB
MD571f187be7c55a628c47c51d95234fa45
SHA1a464c6b38d3f72b0aaa1e7760b77bf84f79b708d
SHA25639f1ad33a476f4c56f05720de9b1fa168e9e4d8cc1e0c08fdf3fdf63de33f3a4
SHA5121b290817cf68003e672e726001dfd48edbd39619640c8970cacc11adb1e07c0552604c9985c067e5199a5c90beea2d9f1decb5dadfaaf1ef3efc21b01ba699e2
-
Filesize
6KB
MD5c7d838bf25c06b00234c4ac0606b2ba1
SHA1d3e36ee540b31c2ef3cf141dc86258e9249e8bff
SHA256ae99b0203b9249c26b2b6521763f051d32ae8c96a5632329e9ac445fdae09816
SHA512911393b18cca01e87e93ad0cc75be67fd7e7cc3be5c012e64bcf6ccad4d6e815272b1ef95f7f733aa9b1b5711aef89bc5e470e22831237579ba0971222d32237
-
Filesize
10KB
MD592d1cc82e159b1b323df058950e6f438
SHA10e84ced04ad9870717f61c3d38581366bcc1982a
SHA256f9bfae208632949ba54b0f91e1d57d0c72b2ca373e1850b09adc55ba05b29020
SHA5126aee56a962690687e3011d941804d51c89fba47b42aa4b241e1ee8cc8657f7d5199015d8e758277943ea623ca3132d97d3c0eb6a927bb38be5e8bc5907e3e9ec
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\913ef47e-a709-47f7-baa1-b22e6d038907.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
3.0MB
MD506bae890723e6696a2b72e06a219edd4
SHA19cbafe846d404dd6df418fd03f3bc96009e7441b
SHA256737a57195cbff966983fbed30e3ee582f5f20b8555ab73e503d5c2dde0dc8855
SHA512a05a4a54106f85caadec0fc40bffcfa1350a9fa94b35ef3e1fad4741079ca813a6612960da6647b8a7aa40560bb076d82777e86022d89d9589b84be8d8af59e3