Analysis

  • max time kernel
    57s
  • max time network
    58s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 20:59

General

  • Target

    Kiwi X Executor.exe

  • Size

    1.6MB

  • MD5

    1f0681ba18a05929f9db7ed7dbaf2f61

  • SHA1

    98ee7fc0ab702121f3bd9084a01dd1d176837cd6

  • SHA256

    8b717718ee4855074bda41bed7366d5139a05ffc04978b36319e6ec55164f08e

  • SHA512

    1c268d9a4fb5ff7ae7710f586a27943e3e2d6c3f1af32f9e9fd8ae843fc0cd7a6805f4b9d9f790263464657cdada0693caf0b2b3c39c4b09bb0165bb54e3a524

  • SSDEEP

    24576:gawwKusHwEwS2DGqKFOkKzO6I6h6gEGe/NIsWvMyCShxE3:wwRED7pShv2NuMsE3

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\is-QSMAA.tmp\Kiwi X Executor.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QSMAA.tmp\Kiwi X Executor.tmp" /SL5="$700DC,865850,776192,C:\Users\Admin\AppData\Local\Temp\Kiwi X Executor.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sheettail.sbs/tracker/thank_you.php?trk=2772
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc597d3cb8,0x7ffc597d3cc8,0x7ffc597d3cd8
          4⤵
            PID:4408
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2052 /prefetch:2
            4⤵
              PID:2480
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2396
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
              4⤵
                PID:4600
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                4⤵
                  PID:1200
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,3356879792164473771,13063534059329282760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                  4⤵
                    PID:1640
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2504
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3916
                • C:\Windows\system32\BackgroundTransferHost.exe
                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                  1⤵
                  • Modifies registry class
                  PID:3916
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2988

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                          Filesize

                          1KB

                          MD5

                          67e486b2f148a3fca863728242b6273e

                          SHA1

                          452a84c183d7ea5b7c015b597e94af8eef66d44a

                          SHA256

                          facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

                          SHA512

                          d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

                          Filesize

                          436B

                          MD5

                          971c514f84bba0785f80aa1c23edfd79

                          SHA1

                          732acea710a87530c6b08ecdf32a110d254a54c8

                          SHA256

                          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                          SHA512

                          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                          Filesize

                          174B

                          MD5

                          7c16e365f1a457d84da9f32a15e9dd8a

                          SHA1

                          103328c4c2831307e9f018efc7de1bc1f928c08e

                          SHA256

                          090d681814adcd1334a98d44d42d3be2f694eb3ff701d5a4c0263546d92ded6b

                          SHA512

                          895f6b1708bbe1b1a13ebb1cb2bd78d470ea5780952b5b0ca491b6e1b488abb5336f7528a33ce0faafc39d36be5468afd9260f33c5afad39ba21fae09dec27b6

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

                          Filesize

                          170B

                          MD5

                          1a77f9689960ee47c4de9bd0f616483d

                          SHA1

                          98080c815e61ede94e5eec6cd9a53ed64582c499

                          SHA256

                          314760173842f625710a8f7d9e4fdc9f03f7e91b2db52bb15e04ee53531b2da4

                          SHA512

                          82e2d9b44dd359a32d4d679f1c176bdf1efd44a4e59a692e756210beb87ddde41d0d5ff30f06aa51fdedca8c32b4359d63d88ba1273309fe2daffc860442728b

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          cb557349d7af9d6754aed39b4ace5bee

                          SHA1

                          04de2ac30defbb36508a41872ddb475effe2d793

                          SHA256

                          cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

                          SHA512

                          f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          aad1d98ca9748cc4c31aa3b5abfe0fed

                          SHA1

                          32e8d4d9447b13bc00ec3eb15a88c55c29489495

                          SHA256

                          2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

                          SHA512

                          150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                          Filesize

                          554B

                          MD5

                          b697800c2138d1064738e1db7de894c2

                          SHA1

                          2acd1c92cc619cf45294590e2f365edf32616991

                          SHA256

                          76b1043da1c8020ff3be8a0b05345201a078b1959eb4d3cf9384b79b78da1fc1

                          SHA512

                          e6c66f5ace0975197d717ecdb87c541b438695ff8a7a348b2b65a6775b3fc8214b8cf97a2bf2e87bd56ef9633c13fa71b94bae8b6748b3333e4af7007b62c7fd

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          71f187be7c55a628c47c51d95234fa45

                          SHA1

                          a464c6b38d3f72b0aaa1e7760b77bf84f79b708d

                          SHA256

                          39f1ad33a476f4c56f05720de9b1fa168e9e4d8cc1e0c08fdf3fdf63de33f3a4

                          SHA512

                          1b290817cf68003e672e726001dfd48edbd39619640c8970cacc11adb1e07c0552604c9985c067e5199a5c90beea2d9f1decb5dadfaaf1ef3efc21b01ba699e2

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          c7d838bf25c06b00234c4ac0606b2ba1

                          SHA1

                          d3e36ee540b31c2ef3cf141dc86258e9249e8bff

                          SHA256

                          ae99b0203b9249c26b2b6521763f051d32ae8c96a5632329e9ac445fdae09816

                          SHA512

                          911393b18cca01e87e93ad0cc75be67fd7e7cc3be5c012e64bcf6ccad4d6e815272b1ef95f7f733aa9b1b5711aef89bc5e470e22831237579ba0971222d32237

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          10KB

                          MD5

                          92d1cc82e159b1b323df058950e6f438

                          SHA1

                          0e84ced04ad9870717f61c3d38581366bcc1982a

                          SHA256

                          f9bfae208632949ba54b0f91e1d57d0c72b2ca373e1850b09adc55ba05b29020

                          SHA512

                          6aee56a962690687e3011d941804d51c89fba47b42aa4b241e1ee8cc8657f7d5199015d8e758277943ea623ca3132d97d3c0eb6a927bb38be5e8bc5907e3e9ec

                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\913ef47e-a709-47f7-baa1-b22e6d038907.down_data

                          Filesize

                          555KB

                          MD5

                          5683c0028832cae4ef93ca39c8ac5029

                          SHA1

                          248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                          SHA256

                          855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                          SHA512

                          aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                        • C:\Users\Admin\AppData\Local\Temp\is-PNQOH.tmp\idp.dll

                          Filesize

                          232KB

                          MD5

                          55c310c0319260d798757557ab3bf636

                          SHA1

                          0892eb7ed31d8bb20a56c6835990749011a2d8de

                          SHA256

                          54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

                          SHA512

                          e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

                        • C:\Users\Admin\AppData\Local\Temp\is-QSMAA.tmp\Kiwi X Executor.tmp

                          Filesize

                          3.0MB

                          MD5

                          06bae890723e6696a2b72e06a219edd4

                          SHA1

                          9cbafe846d404dd6df418fd03f3bc96009e7441b

                          SHA256

                          737a57195cbff966983fbed30e3ee582f5f20b8555ab73e503d5c2dde0dc8855

                          SHA512

                          a05a4a54106f85caadec0fc40bffcfa1350a9fa94b35ef3e1fad4741079ca813a6612960da6647b8a7aa40560bb076d82777e86022d89d9589b84be8d8af59e3

                        • memory/2852-32-0x0000000000400000-0x0000000000706000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/2852-21-0x0000000000400000-0x0000000000706000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/2852-7-0x0000000000400000-0x0000000000706000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/4168-0-0x0000000000400000-0x00000000004CB000-memory.dmp

                          Filesize

                          812KB

                        • memory/4168-33-0x0000000000400000-0x00000000004CB000-memory.dmp

                          Filesize

                          812KB

                        • memory/4168-20-0x0000000000400000-0x00000000004CB000-memory.dmp

                          Filesize

                          812KB

                        • memory/4168-2-0x0000000000401000-0x00000000004A9000-memory.dmp

                          Filesize

                          672KB