Malware Analysis Report

2024-10-16 05:07

Sample ID 240729-bt4hxawcqk
Target pop.cmd
SHA256 1b693a46f4a43bec58ea755005b6f55b257e7067b43a918be62310c7460e4b88
Tags
dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1b693a46f4a43bec58ea755005b6f55b257e7067b43a918be62310c7460e4b88

Threat Level: Likely malicious

The file pop.cmd was found to be: Likely malicious.

Malicious Activity Summary

dropper

Download via BitsAdmin

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 01:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 01:27

Reported

2024-07-29 01:29

Platform

win10-20240404-en

Max time kernel

78s

Max time network

84s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pop.wsf"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\System32\bitsadmin.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4920 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\bitsadmin.exe
PID 4556 wrote to memory of 4920 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\bitsadmin.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pop.wsf"

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 C:\Users\ezo\Desktop\aa.exe C:\Users\Admin\AppData\Local\Temp\aa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A