Analysis
-
max time kernel
18s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2023, 09:53
General
-
Target
OneTapsu.exe
-
Size
9.9MB
-
MD5
bf4f5229e99cf820e00dfed6c060adbd
-
SHA1
e332c05d1606968d2dd73b642180cb6b3748bf9d
-
SHA256
ce80f8df0de50e940935187416d6636842c658929a1c25b09ae7e9a2b0065c4c
-
SHA512
75073ecde105c6eb9c7e7c0f93b79a4bb0ffec8d7ac54bedc5a5989f7268f4d5f38514f90a1e1971feade440aa8db5f75a794d85bd363b61fb763ea92d9f7c59
-
SSDEEP
196608:7ciTycbFaihD1dYPJ3E4Wsieovl1L9MLwkmJ1SF000A3vZXDLGKx22xizWhm:B+cbFaIdKJ31HkJ6F0tA34Kx2bzWhm
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3160 created 3168 3160 OneTapsu.exe 39 PID 3160 created 3168 3160 OneTapsu.exe 39 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OneTapsu.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OneTapsu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OneTapsu.exe -
resource yara_rule behavioral1/memory/3160-134-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-133-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-136-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-137-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-138-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-139-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/memory/3160-160-0x00007FF77DA80000-0x00007FF77ECFD000-memory.dmp themida behavioral1/files/0x000700000002322a-162.dat themida behavioral1/memory/3704-163-0x00007FF6E0630000-0x00007FF6E18AD000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OneTapsu.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3160 OneTapsu.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3160 OneTapsu.exe 3160 OneTapsu.exe 3160 OneTapsu.exe 3160 OneTapsu.exe 652 powershell.exe 652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 452 powercfg.exe Token: SeCreatePagefilePrivilege 452 powercfg.exe Token: SeShutdownPrivilege 3488 powercfg.exe Token: SeCreatePagefilePrivilege 3488 powercfg.exe Token: SeShutdownPrivilege 3188 powercfg.exe Token: SeCreatePagefilePrivilege 3188 powercfg.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeShutdownPrivilege 1376 powercfg.exe Token: SeCreatePagefilePrivilege 1376 powercfg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2420 wrote to memory of 452 2420 cmd.exe 93 PID 2420 wrote to memory of 452 2420 cmd.exe 93 PID 2420 wrote to memory of 3488 2420 cmd.exe 94 PID 2420 wrote to memory of 3488 2420 cmd.exe 94 PID 2420 wrote to memory of 3188 2420 cmd.exe 96 PID 2420 wrote to memory of 3188 2420 cmd.exe 96 PID 2420 wrote to memory of 1376 2420 cmd.exe 97 PID 2420 wrote to memory of 1376 2420 cmd.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\OneTapsu.exe"C:\Users\Admin\AppData\Local\Temp\OneTapsu.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fvjzl#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:5040
-
-
C:\Users\Admin\Google\Chrome\updater.exeC:\Users\Admin\Google\Chrome\updater.exe1⤵PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5a75d608c00aeee312660241f542e9d99
SHA19fc3fb2c7f644f3f7c694bdd201b0a93b5f42271
SHA2565c9cd4e8addf667d8f5ff57328e5d3ba556e9697c61a3c2dcf2ac653ac249b2b
SHA512c15d976a0a5888f6333b1b1c1e38634ceea4326f54df6ce7fc2f1ffa2c00a7c96bdf08f2726d7746f2216ec0e70b7ecf33cd2a838ecc05846ac7ded547835240