Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2023, 09:56
Behavioral task
behavioral1
Sample
onetap.exe
Resource
win10-20230703-en
General
-
Target
onetap.exe
-
Size
15.2MB
-
MD5
afb258e94c29c18be991e5eb89540472
-
SHA1
1470eb03e7ae159fd9a3dda30fd1f4d51cba8019
-
SHA256
fc88ca904adfb9f327311f5c108ac6f86c4b3d1154e80d6336920ac76d4dba1f
-
SHA512
9944a365c19b8215e03fca606758592dba968b9749bff50cea973663c813de151317aba1b233652d93b7522a4b4987dfb71e8e8eedc5b7a54d5d54d2f30c3156
-
SSDEEP
393216:NImpeu54sjGtzgFLJqMQ+aVz6jC5CeHMRdG3UQWYabHYsX:yZu2+qMQzz2gsKUTYY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3024 created 3240 3024 cryptpls_protected.exe 55 PID 3024 created 3240 3024 cryptpls_protected.exe 55 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ onetap.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ @myagkiy_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cryptpls_protected.exe -
XMRig Miner payload 13 IoCs
resource yara_rule behavioral2/memory/3024-170-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp xmrig behavioral2/memory/5080-174-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-175-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-176-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-177-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-179-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-181-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-182-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-183-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-184-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-185-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-186-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig behavioral2/memory/5080-187-0x00007FF673D30000-0x00007FF67451F000-memory.dmp xmrig -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cryptpls_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cryptpls_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion onetap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion onetap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion @myagkiy_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion @myagkiy_protected.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation onetap.exe -
Executes dropped EXE 2 IoCs
pid Process 4112 @myagkiy_protected.exe 3024 cryptpls_protected.exe -
resource yara_rule behavioral2/memory/3652-133-0x0000000000730000-0x0000000001A18000-memory.dmp themida behavioral2/memory/3652-135-0x0000000000730000-0x0000000001A18000-memory.dmp themida behavioral2/files/0x00070000000230a6-140.dat themida behavioral2/files/0x00070000000230a6-142.dat themida behavioral2/memory/4112-146-0x0000000000400000-0x0000000000BA4000-memory.dmp themida behavioral2/files/0x00060000000230a7-148.dat themida behavioral2/files/0x00070000000230a6-152.dat themida behavioral2/files/0x00060000000230a7-154.dat themida behavioral2/memory/3652-155-0x0000000000730000-0x0000000001A18000-memory.dmp themida behavioral2/memory/3024-156-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/4112-157-0x0000000000400000-0x0000000000BA4000-memory.dmp themida behavioral2/memory/4112-160-0x0000000000400000-0x0000000000BA4000-memory.dmp themida behavioral2/memory/3024-159-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/4112-161-0x0000000000400000-0x0000000000BA4000-memory.dmp themida behavioral2/memory/3024-162-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/3024-163-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/3024-164-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/4112-165-0x0000000000400000-0x0000000000BA4000-memory.dmp themida behavioral2/memory/3024-166-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida behavioral2/memory/3024-170-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA onetap.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @myagkiy_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cryptpls_protected.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3652 onetap.exe 4112 @myagkiy_protected.exe 3024 cryptpls_protected.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3024 set thread context of 5080 3024 cryptpls_protected.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2972 4112 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3024 cryptpls_protected.exe 3024 cryptpls_protected.exe 3024 cryptpls_protected.exe 3024 cryptpls_protected.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe 5080 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 2928 powercfg.exe Token: SeCreatePagefilePrivilege 2928 powercfg.exe Token: SeShutdownPrivilege 784 powercfg.exe Token: SeCreatePagefilePrivilege 784 powercfg.exe Token: SeShutdownPrivilege 1436 powercfg.exe Token: SeCreatePagefilePrivilege 1436 powercfg.exe Token: SeLockMemoryPrivilege 5080 explorer.exe Token: SeShutdownPrivilege 2676 powercfg.exe Token: SeCreatePagefilePrivilege 2676 powercfg.exe Token: SeLockMemoryPrivilege 5080 explorer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3652 wrote to memory of 4112 3652 onetap.exe 85 PID 3652 wrote to memory of 4112 3652 onetap.exe 85 PID 3652 wrote to memory of 4112 3652 onetap.exe 85 PID 3652 wrote to memory of 3024 3652 onetap.exe 87 PID 3652 wrote to memory of 3024 3652 onetap.exe 87 PID 2156 wrote to memory of 2928 2156 cmd.exe 98 PID 2156 wrote to memory of 2928 2156 cmd.exe 98 PID 2156 wrote to memory of 784 2156 cmd.exe 99 PID 2156 wrote to memory of 784 2156 cmd.exe 99 PID 2156 wrote to memory of 1436 2156 cmd.exe 100 PID 2156 wrote to memory of 1436 2156 cmd.exe 100 PID 3024 wrote to memory of 5080 3024 cryptpls_protected.exe 101 PID 2156 wrote to memory of 2676 2156 cmd.exe 102 PID 2156 wrote to memory of 2676 2156 cmd.exe 102
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\onetap.exe"C:\Users\Admin\AppData\Local\Temp\onetap.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1524⤵
- Program crash
PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4112 -ip 41121⤵PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5e90fae32382eb76fa61f8af25cb08403
SHA1cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA51236f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a
-
Filesize
3.4MB
MD5e90fae32382eb76fa61f8af25cb08403
SHA1cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA51236f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a
-
Filesize
3.4MB
MD5e90fae32382eb76fa61f8af25cb08403
SHA1cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA51236f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a
-
Filesize
9.5MB
MD55478e8d1f4b167b894193583c24673a4
SHA1fdd50bb3d379e3a54061caff7f5f15706c763179
SHA2567cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA5122b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6
-
Filesize
9.5MB
MD55478e8d1f4b167b894193583c24673a4
SHA1fdd50bb3d379e3a54061caff7f5f15706c763179
SHA2567cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA5122b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6