Overview

overview

10

Static

static

10

4bd/472-84...mp.dll

windows7_x64

3

4bd/472-84...mp.dll

windows10_x64

3

4bd/Attach...ng.lnk

windows7_x64

8

4bd/Attach...ng.lnk

windows10_x64

8

Attachment.png.lnk

windows7_x64

8

Attachment.png.lnk

windows10_x64

8

work.ps1

windows7_x64

8

work.ps1

windows10_x64

8

4bd/ldr.dat.ps1

windows7_x64

10

4bd/ldr.dat.ps1

windows10_x64

1

4bd/work.ps1

windows7_x64

8

4bd/work.ps1

windows10_x64

8

Analysis

  • max time kernel
    61s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    25-08-2021 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bd/ldr.dat.ps1

  • Size

    137KB

  • MD5

    968b67446e288eeca67a7ae36fb39e3d

  • SHA1

    c0872402677fe3cc74d16e5b7a26a031d5826c39

  • SHA256

    1605fecae9b37911e6965c7c2748eed0331f2282da507ab611cff3c9de7eb702

  • SHA512

    a0c7da64367b70fc5c79460a1b7cb4ae597245b38c66ca22506b79d7f31667f26453b8319cfd07281c09f3d42c4a64cb6da09488261327d78fa8e1af9258c792

Score
10/10
doublebackbackdoor

Malware Config

Signatures

  • DoubleBack

    DoubleBack is a modular backdoor first seen in December 2020.

    backdoordoubleback
  • DoubleBack x64 Payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4bd\ldr.dat.ps1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -c "&{$v1='8000';$k1='hkcu:\Software\Classes\CLSID';$p1=(gp $k1).$v1;rp $k1 $v1;set-itemproperty -pat $k1 -n $v1 -va ($p1|iex);exit}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    a8631cf6dd8ecf222a81e9dfb246f351

    SHA1

    f20fce958bf3bd5e2f924724fbc7f92b1af221fe

    SHA256

    18f866a0ced3d8decb22771a83b1c6d579cb8699d0233601f2a84b864a65c979

    SHA512

    717aa019c5b4c1e75780c3dcbb32596b82254a82b3a83548140533aae6ad2b049c9f0495ded5dc941d92178b3661e35d95e27edfcd3b482307a3347832e174ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    fa1435a218d871fce2153297044d2604

    SHA1

    ee1efa8309f4d628eca81b9c777d08644bd1d46c

    SHA256

    ece64aea8576d164568303bce9bdd68ed79f7803c35b22fa58ec8c5e3567b4b2

    SHA512

    86d27cc7f3da58360c4002a15759f80e0ee9e5ef96bd3d9df0613247b32839770e4c05449a4737c305a38719b79a764e1c82ce1dabd831573617731d0397cc07

    Download Submit

  • memory/752-73-0x0000000000000000-mapping.dmp

    Download

  • memory/752-84-0x000000001B5A0000-0x000000001B5A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/752-83-0x000000001B440000-0x000000001B441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/752-79-0x000000001AA50000-0x000000001AA52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/752-80-0x000000001AA54000-0x000000001AA56000-memory.dmp

    Filesize

    8KB

    Download

  • memory/752-81-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/752-78-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/752-76-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/752-77-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-6-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-70-0x000000001ABCC000-0x000000001ABEB000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1724-71-0x000000001B7F0000-0x000000001B7F9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1724-72-0x0000008800000000-0x000000880000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1724-69-0x000000001ABC6000-0x000000001ABC8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-68-0x000000001C470000-0x000000001C471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-67-0x000000001B720000-0x000000001B721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-0-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-5-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-4-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-3-0x000000001A960000-0x000000001A961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-2-0x000000001AC40000-0x000000001AC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-1-0x0000000002320000-0x0000000002321000-memory.dmp

    Filesize

    4KB

    Download