Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Korepi.rar
windows10-1703-x64
10Korepi/Korepi.exe
windows10-1703-x64
10Korepi/chr...nt.pak
windows10-1703-x64
3Korepi/chr...nt.pak
windows10-1703-x64
3Korepi/con...ig.xml
windows10-1703-x64
1Korepi/con...es.pdb
windows10-1703-x64
3Korepi/d3d...47.dll
windows10-1703-x64
3Korepi/d4d...er.xml
windows10-1703-x64
1Korepi/dll/ffmpeg.dll
windows10-1703-x64
1Korepi/dll/libEGL.dll
windows10-1703-x64
1Korepi/dll...v2.dll
windows10-1703-x64
3Korepi/dll...er.dll
windows10-1703-x64
3Korepi/dll...d.json
windows10-1703-x64
3Korepi/dll...-1.dll
windows10-1703-x64
3Korepi/ffmpeg.dll
windows10-1703-x64
1Korepi/icudtl.dat
windows10-1703-x64
3Korepi/libEGL.dll
windows10-1703-x64
1Korepi/libGLESv2.dll
windows10-1703-x64
3Korepi/system.yaml
windows10-1703-x64
3Korepi/sys...gl.pdb
windows10-1703-x64
3Korepi/vgrl.dll
windows10-1703-x64
1Korepi/vivoxsdk.dll
windows10-1703-x64
1Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
08/02/2024, 19:33
Behavioral task
behavioral1
Sample
Korepi.rar
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
Korepi/Korepi.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
Korepi/chrome_100_percent.pak
Resource
win10-20231215-en
Behavioral task
behavioral4
Sample
Korepi/chrome_200_percent.pak
Resource
win10-20231215-en
Behavioral task
behavioral5
Sample
Korepi/config/config.xml
Resource
win10-20231215-en
Behavioral task
behavioral6
Sample
Korepi/config/resources.pdb
Resource
win10-20231215-en
Behavioral task
behavioral7
Sample
Korepi/d3dcompiler_47.dll
Resource
win10-20231215-en
Behavioral task
behavioral8
Sample
Korepi/d4dcompiler.xml
Resource
win10-20231215-en
Behavioral task
behavioral9
Sample
Korepi/dll/ffmpeg.dll
Resource
win10-20231220-en
Behavioral task
behavioral10
Sample
Korepi/dll/libEGL.dll
Resource
win10-20231215-en
Behavioral task
behavioral11
Sample
Korepi/dll/libGLESv2.dll
Resource
win10-20231215-en
Behavioral task
behavioral12
Sample
Korepi/dll/vk_swiftshader.dll
Resource
win10-20231215-en
Behavioral task
behavioral13
Sample
Korepi/dll/vk_swiftshader_icd.json
Resource
win10-20231220-en
Behavioral task
behavioral14
Sample
Korepi/dll/vulkan-1.dll
Resource
win10-20231215-en
Behavioral task
behavioral15
Sample
Korepi/ffmpeg.dll
Resource
win10-20231215-en
Behavioral task
behavioral16
Sample
Korepi/icudtl.dat
Resource
win10-20231215-en
Behavioral task
behavioral17
Sample
Korepi/libEGL.dll
Resource
win10-20231215-en
Behavioral task
behavioral18
Sample
Korepi/libGLESv2.dll
Resource
win10-20231215-en
Behavioral task
behavioral19
Sample
Korepi/system.yaml
Resource
win10-20231215-en
Behavioral task
behavioral20
Sample
Korepi/systemlibegl.pdb
Resource
win10-20231215-en
Behavioral task
behavioral21
Sample
Korepi/vgrl.dll
Resource
win10-20231215-en
Behavioral task
behavioral22
Sample
Korepi/vivoxsdk.dll
Resource
win10-20231215-en
General
-
Target
Korepi.rar
-
Size
22.4MB
-
MD5
ecb834d94edbee6f13e0851fa6caf1f4
-
SHA1
3212af8c23e6c19ef53b6b7d711397676b508e26
-
SHA256
3343644e85fc33f8cd3b97e0f7275053f1c272932379c61b3c0d3c620a23a4ee
-
SHA512
12e31a8d653f68c5b4af69b9f20622923fd1f28ea414e5dcdc2be373f5a4fcc860f01fafee3b11dca018568c3f602ad1d484c3c19c050ef5348d1c0bb6091254
-
SSDEEP
393216:daXr/gp4rHPuszFA5Hj/9/gp4rWcQQtwvxPCsWQQs/uszDq2Z/SE/Mb4KZnJsQwJ:di/gp6HHijV/gp6WVQGhW3stzZREb4Qq
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1204820036871651418/CUplXl5h8mK8wayRD4L98BI20GJlZ7pUqazPKIFG3k71PQZAQLEztS-LsGq873wkB2Tf
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 392 Korepi.exe 3872 Korepi.exe 2828 Korepi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 freegeoip.app 11 freegeoip.app 27 freegeoip.app 39 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Korepi.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Korepi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Korepi.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Korepi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Korepi.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Korepi.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 392 Korepi.exe 392 Korepi.exe 392 Korepi.exe 392 Korepi.exe 5084 7zFM.exe 5084 7zFM.exe 3872 Korepi.exe 3872 Korepi.exe 3872 Korepi.exe 3872 Korepi.exe 2828 Korepi.exe 2828 Korepi.exe 2828 Korepi.exe 2828 Korepi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5084 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 5084 7zFM.exe Token: 35 5084 7zFM.exe Token: SeSecurityPrivilege 5084 7zFM.exe Token: SeDebugPrivilege 392 Korepi.exe Token: SeSecurityPrivilege 5084 7zFM.exe Token: SeDebugPrivilege 3872 Korepi.exe Token: SeDebugPrivilege 2828 Korepi.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5084 7zFM.exe 5084 7zFM.exe 5084 7zFM.exe 5084 7zFM.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 448 wrote to memory of 5084 448 cmd.exe 73 PID 448 wrote to memory of 5084 448 cmd.exe 73 PID 5084 wrote to memory of 392 5084 7zFM.exe 75 PID 5084 wrote to memory of 392 5084 7zFM.exe 75
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Korepi.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Korepi.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\7zOCD377338\Korepi.exe"C:\Users\Admin\AppData\Local\Temp\7zOCD377338\Korepi.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3104
-
C:\Users\Admin\Desktop\Korepi\Korepi.exe"C:\Users\Admin\Desktop\Korepi\Korepi.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
C:\Users\Admin\Desktop\Korepi\Korepi.exe"C:\Users\Admin\Desktop\Korepi\Korepi.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
210B
MD51267f4be35fbe5510886cf08ddee9fdd
SHA104e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9
SHA256ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3
SHA5126f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b
-
Filesize
652B
MD50383ba4b2c76672c7bf4616228443724
SHA14254fa044ea48cfb3420f07d906f46fe1c6fab33
SHA25641a7dcefb4d502fe098a57e8b5d6df33f1dd1bfe651a5c0e3f1e988faa7aca82
SHA51225f369db5c9b422e0e387c93afb656b323161369557dc5d613f588b1f766a3bace180043a61a65ab1e076d68cd2507ca56212182ba61bfea5f10f50a626bd19b
-
Filesize
652B
MD5c79ed26e640491404c74d29855ffba40
SHA1f7b7e48766335c17b34512d22989e236698ed85d
SHA2568accd6442e119c8627132b25fd1a98bae25de3355c15c48656421fd0104d3e8c
SHA51248313d6b2e5cc8a462ee3b392da31cdb6cca94f9c015217de9d275ed6a1554aa1ddb94c33849a080851a2715b801b024454965e326291a792d60673172cf7921
-
Filesize
1KB
MD5100053f5310bb54c41aed6f690de35ad
SHA17f6cb346a78166139c9f7004d01eaa2b975d97d9
SHA2566d44d446187279cfe6d5ef59f1990e79ea36c822d938bf00d3bd25fc13b2544d
SHA512d3c8c9586c7d0dcc16e787c0cd2bb020253a2dc2670c8dd99348c45914c4178ffb5756a2b2b8e24ca29a37ff7ddd08d84d66d7db9f018f4a594c29b163587a85
-
Filesize
2KB
MD5f280f6a54b6fd5ce143f214279655276
SHA19ee637548d241a6ba9e0a55d3674aa90cd4a9ce1
SHA2569167c08e2e7b3e33ef75a8ffcd72f54d2043eaba278dfeb0f93b3508a2fa985c
SHA512cdbf006d5f41a0781d9ab87e8a1a2637b4c435c3d36c236c551ed533f65743d61411abb905885a3f09f73db2c3610a42ffad2d72d21d07c8f895c44829a1d68b
-
Filesize
2KB
MD58154869742c978889f1fb3184035c463
SHA16f2469473585f335af02205a361866d781d44d3e
SHA256fd73289dc40d62b266f56e2cf4f53c68633de8e569417433ba8ba7589ece2d0f
SHA51299a347e58cc9c2662fb8d9ba9a170511b13db162090e4818b6465b5814af5e65fe53d3f5e95048d860aa5eb85bc76eb41a39e91a90ab4b88421124ebf0a4474c
-
Filesize
2KB
MD5c68a73bdce9213609d19d58b77a7c333
SHA14189ca2a5d6bf13deb1db2015925dea54271cc2d
SHA2562130523c82d9b8560ce9e42d811bd6c211ac30fb97f1c6053bcf4208c2dcb3d1
SHA512a2f74d35979fffd4268e318b0198f21af09ebabe979081d22be85e95c3f4c99876fc92257570fceb2a52fdb7fd0ef4224367265ba416949365adde906274209e
-
Filesize
3KB
MD5d8eef15982dcd2278d8cab67f99ded6b
SHA14e70cf7c0da7069ac973cfa416c984e1fbcca92b
SHA256b06203ea323dcbec734862893eb77780668d5aca7985c21a434f492c4d60ebb5
SHA5123c94805251cb9e8ce71d33110b5f53c947697e3826a1d5896f96e78483d14a2cb28e33d832aca421f019e7b3e616e3a7065e13156d9cf2e45d9319a387efbf49
-
Filesize
737B
MD5d11659a8c7dca463363596b2eb557fd7
SHA11b84fa515d75911f96a4a651f6e96b53cd3ec563
SHA256a6c05e72d16ec73bbf89cf011e26175b1f6a58e171057e260438e8e9d88a88cf
SHA512f2f2e50b16058e3551b98c16848b54c15de110d6ae123c61610428e1b11256787454706a4da8ffb5bd68f1422793d87f8887f69711d7e6b80d457cd5444ce6d3
-
Filesize
128KB
MD500cc41fe9bc1fcbb9a10bab25e974d86
SHA1d67de5b8be5287bc3730829236dac4f38eafcbfe
SHA2564d07bff81ec7059c26b4e452e86ef986240ab52c8eb7de1f174d794db6bff60f
SHA51213075d1f20f1ad2fb95594da2227fcd85da72636d5a283e60b5ba3074a419ff33eb9f6497e26a2cc795fdc59a46f5449132339d32bcdf2fd9739a30b3865bf89
-
Filesize
1KB
MD5a9ad243deaee83581ee742d0ce4f4c58
SHA12a399d641fe3a1dbedd32831c3d0b4e69c214df9
SHA2563dbce5343fda3438460000ae97a47268e90055a74f1d57b8ffa0f4ded8c13a48
SHA512a2dd670885e2503e38ddd3b251efb2c426453fe65a28a4002f9276c690c7b323d8a13a9576ee3d5ee6ade3a5b36d7e59116978ec51ec40359430fbfebb8b580f
-
Filesize
274KB
MD5efa2b41e3fad6f9748f69cee22300fd8
SHA19989d14b2b6876f53969ca4346109fd377013a71
SHA256f8caf6d4c0c782dc6f40399a72286412dba50c081c38efee96417910516e0123
SHA5122bca7353443a8e771abdd71780545f08e20d9231161802a7d838860f6149c07bf912142cf2c2def98439ee3d8904c65fb7f0a2f229dcf73575270062c3f60ec6
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
5.0MB
MD57a8dbbd21d9a460640782baeaaaa42a4
SHA1f9c5b5763051773d14570f5466a842df3292c2c5
SHA256e238538ef876f380b162fb1b22359228fcafe8143a45c22ce5dcb4337ab30da7
SHA512c72e62660e9dc7c605a58d33d7780a73ac059a9895ac667c0f2d7a5956cf963ff7bcb6b826b7c318003a9c7c4cc424708c28fb5cd8a0686638ea4a471e386987
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
92KB
MD5e5984ef57f6e5c9a979cd8da62e790d5
SHA1a8713f506a13857bd4a5a600c6c0f94b5139a8ec
SHA256639bc181e8b90b33485fe76854d4d0eb0b598b83398589b75ff38a9589df0c40
SHA5120e769c782cbc70cf5946ff0503c81124427191852c687cd6a1d0d26025d4ed7c6fbb026bac6e620105f3b9a0d69931c1c220bb646c0567237eb979aace4303bd