Analysis Overview
SHA256
ee3ff39ca8758381c9005d3a8861c167aafcf33d681a86ed29569508b9456a37
Threat Level: Known bad
The file Onetap CS GO HACK.rar was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Themida packer
Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-14 09:56
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-14 09:56
Reported
2023-07-14 09:58
Platform
win10-20230703-en
Max time kernel
105s
Max time network
111s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4196 created 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\Explorer.EXE |
| PID 4196 created 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\Explorer.EXE |
| PID 4076 created 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4196 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\onetap.exe
"C:\Users\Admin\AppData\Local\Temp\onetap.exe"
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 536
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\onetap.exe
"C:\Users\Admin\AppData\Local\Temp\onetap.exe"
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 128
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/328-122-0x0000000000370000-0x0000000001658000-memory.dmp
memory/328-123-0x0000000077364000-0x0000000077365000-memory.dmp
memory/328-124-0x0000000000370000-0x0000000001658000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
memory/864-131-0x0000000000400000-0x0000000000BA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
memory/328-135-0x0000000000370000-0x0000000001658000-memory.dmp
memory/4196-137-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-136-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-139-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
memory/864-138-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/864-140-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4196-141-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/864-142-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4196-143-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-144-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-146-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-147-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-148-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
memory/316-152-0x0000000000DE0000-0x0000000000E00000-memory.dmp
memory/4196-151-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp
memory/4196-154-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
memory/316-157-0x0000000002A60000-0x0000000002AA0000-memory.dmp
memory/316-159-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/316-161-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/316-162-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/316-163-0x0000000013A50000-0x0000000013A70000-memory.dmp
memory/3420-164-0x0000000000370000-0x0000000001658000-memory.dmp
memory/3420-165-0x0000000000370000-0x0000000001658000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
memory/316-176-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/3420-175-0x0000000000370000-0x0000000001658000-memory.dmp
memory/4076-177-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/4076-179-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/316-180-0x0000000013A50000-0x0000000013A70000-memory.dmp
memory/4076-182-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
memory/4364-181-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4364-178-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4076-183-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/4364-184-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4076-185-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/316-187-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/4076-186-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/4076-189-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/316-192-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/4076-193-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/4076-196-0x00007FF76D090000-0x00007FF76E271000-memory.dmp
memory/4076-197-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp
memory/316-199-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
memory/4364-201-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/316-202-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-14 09:56
Reported
2023-07-14 09:59
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3024 created 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\Explorer.EXE |
| PID 3024 created 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onetap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3024 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\onetap.exe
"C:\Users\Admin\AppData\Local\Temp\onetap.exe"
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4112 -ip 4112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 152
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.143.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| DE | 2.16.241.76:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 76.241.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/3652-133-0x0000000000730000-0x0000000001A18000-memory.dmp
memory/3652-134-0x0000000077EB4000-0x0000000077EB6000-memory.dmp
memory/3652-135-0x0000000000730000-0x0000000001A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
memory/4112-146-0x0000000000400000-0x0000000000BA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
| MD5 | e90fae32382eb76fa61f8af25cb08403 |
| SHA1 | cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f |
| SHA256 | ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66 |
| SHA512 | 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a |
C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
| MD5 | 5478e8d1f4b167b894193583c24673a4 |
| SHA1 | fdd50bb3d379e3a54061caff7f5f15706c763179 |
| SHA256 | 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a |
| SHA512 | 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6 |
memory/3652-155-0x0000000000730000-0x0000000001A18000-memory.dmp
memory/3024-156-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/3024-158-0x00007FFF06410000-0x00007FFF06605000-memory.dmp
memory/4112-157-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/4112-160-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/3024-159-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/4112-161-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/3024-162-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/3024-163-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/3024-164-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/4112-165-0x0000000000400000-0x0000000000BA4000-memory.dmp
memory/3024-166-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/3024-167-0x00007FFF06410000-0x00007FFF06605000-memory.dmp
memory/5080-171-0x0000000002D40000-0x0000000002D60000-memory.dmp
memory/3024-170-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp
memory/3024-172-0x00007FFF06410000-0x00007FFF06605000-memory.dmp
memory/5080-173-0x0000000002E80000-0x0000000002EA0000-memory.dmp
memory/5080-174-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-175-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-176-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-177-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-178-0x0000000013D80000-0x0000000013DA0000-memory.dmp
memory/5080-179-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-180-0x0000000013D80000-0x0000000013DA0000-memory.dmp
memory/5080-181-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-182-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-183-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-184-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-185-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-186-0x00007FF673D30000-0x00007FF67451F000-memory.dmp
memory/5080-187-0x00007FF673D30000-0x00007FF67451F000-memory.dmp