Analysis Overview
SHA256
1b693a46f4a43bec58ea755005b6f55b257e7067b43a918be62310c7460e4b88
Threat Level: Likely malicious
The file pop.cmd was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 01:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 01:27
Reported
2024-07-29 01:29
Platform
win10-20240404-en
Max time kernel
78s
Max time network
84s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4556 wrote to memory of 4920 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\bitsadmin.exe |
| PID 4556 wrote to memory of 4920 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\bitsadmin.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pop.wsf"
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 C:\Users\ezo\Desktop\aa.exe C:\Users\Admin\AppData\Local\Temp\aa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |