Overview

overview

7

Static

static

1

adplus_old.vbs

windows7-x64

3

adplus_old.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2023 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adplus_old.vbs

  • Size

    184KB

  • MD5

    fd5fb3b20a66f045e84c6c779c6130f6

  • SHA1

    532520d801d009f8b1807dee92b70424342979c8

  • SHA256

    3095bf779c5e14931e8fc6843504f79022893947742a61e0bdaba907971f4dff

  • SHA512

    57dcaef91a4247ac22dc791f4343c80a8191973306d0720e686150ab71bc81aee51ed6f8b5ce6d381918662228a03fde6cc1e350dd01fd25c83ebd752e18796b

  • SSDEEP

    3072:z3XefUgvyiDwWY0uzB4QZvW2drHWgOOWS1K4j5cm6gucSS34A40VtEZIjgpjyzly:FgvyiDwWQulS1K4VVtvLyq2QOfb5fn

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adplus_old.vbs"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k Cscript //nologo "C:\Users\Admin\AppData\Local\Temp\adplus_old.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\cscript.exe
        Cscript //nologo "C:\Users\Admin\AppData\Local\Temp\adplus_old.vbs"
        3⤵
          PID:876

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads