zgrat | 0f9c56f62484b2bbf14f9b7b76efa84e0fa0a179b0787e98e3dc9a02b9f6054e

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enigma Temp.exe
Size

13.5MB
MD5

330a39ccb7e57bac11f25d600c5aa463
SHA1

c22bac47bb741f63600c97c7669f2e48bf1567ab
SHA256

0f9c56f62484b2bbf14f9b7b76efa84e0fa0a179b0787e98e3dc9a02b9f6054e
SHA512

fda91e66009f1ccd88514efb56c272a1866c74496175f55573cd244b044e8cbe812fa8f98d7a5859254970c3d8898b34968e1649c3a59b7ba5b7e9ddc744efce
SSDEEP

393216:Rf50Nu9En2liECzJ3USGsfg6W2oBqtMpYbA4:x6GsLBusfg6fbqpY

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x0030000000014207-52.dat	family_zgrat_v1
behavioral1/memory/1284-56-0x0000000000930000-0x0000000000AC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2480-146-0x0000000000AD0000-0x0000000000C68000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 4 IoCs

pid	Process
2672	Enigma Spoofer.exe
1284	bridgesurrogateagentCrtdll.exe
2480	smss.exe
1852	Enigma Spoofer.exe

Loads dropped DLL 4 IoCs

pid	Process
3004	Enigma Temp.exe
3004	Enigma Temp.exe
3004	Enigma Temp.exe
2672	Enigma Spoofer.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\dllhost.exe	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files (x86)\Internet Explorer\5940a34987c991	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	bridgesurrogateagentCrtdll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\audiodg.exe	bridgesurrogateagentCrtdll.exe
File created	C:\Windows\Fonts\42af1c969fbb7b	bridgesurrogateagentCrtdll.exe
File created	C:\Windows\system\smss.exe	bridgesurrogateagentCrtdll.exe
File created	C:\Windows\system\69ddcba757bf72	bridgesurrogateagentCrtdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Enigma Spoofer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Enigma Spoofer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Enigma Spoofer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Enigma Spoofer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Enigma Spoofer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Enigma Spoofer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1004	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3004	Enigma Temp.exe
3004	Enigma Temp.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
1284	bridgesurrogateagentCrtdll.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe
2480	smss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	bridgesurrogateagentCrtdll.exe
Token: SeDebugPrivilege	2672	Enigma Spoofer.exe
Token: SeDebugPrivilege	2480	smss.exe
Token: SeDebugPrivilege	1852	Enigma Spoofer.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2672	3004	Enigma Temp.exe	28
PID 3004 wrote to memory of 2672	3004	Enigma Temp.exe	28
PID 3004 wrote to memory of 2672	3004	Enigma Temp.exe	28
PID 3004 wrote to memory of 2672	3004	Enigma Temp.exe	28
PID 3004 wrote to memory of 1284	3004	Enigma Temp.exe	29
PID 3004 wrote to memory of 1284	3004	Enigma Temp.exe	29
PID 3004 wrote to memory of 1284	3004	Enigma Temp.exe	29
PID 3004 wrote to memory of 1284	3004	Enigma Temp.exe	29
PID 1284 wrote to memory of 2444	1284	bridgesurrogateagentCrtdll.exe	30
PID 1284 wrote to memory of 2444	1284	bridgesurrogateagentCrtdll.exe	30
PID 1284 wrote to memory of 2444	1284	bridgesurrogateagentCrtdll.exe	30
PID 2444 wrote to memory of 2708	2444	cmd.exe	32
PID 2444 wrote to memory of 2708	2444	cmd.exe	32
PID 2444 wrote to memory of 2708	2444	cmd.exe	32
PID 2444 wrote to memory of 2744	2444	cmd.exe	33
PID 2444 wrote to memory of 2744	2444	cmd.exe	33
PID 2444 wrote to memory of 2744	2444	cmd.exe	33
PID 2672 wrote to memory of 2876	2672	Enigma Spoofer.exe	34
PID 2672 wrote to memory of 2876	2672	Enigma Spoofer.exe	34
PID 2672 wrote to memory of 2876	2672	Enigma Spoofer.exe	34
PID 2672 wrote to memory of 2876	2672	Enigma Spoofer.exe	34
PID 2876 wrote to memory of 2260	2876	cmd.exe	36
PID 2876 wrote to memory of 2260	2876	cmd.exe	36
PID 2876 wrote to memory of 2260	2876	cmd.exe	36
PID 2876 wrote to memory of 2260	2876	cmd.exe	36
PID 2444 wrote to memory of 2480	2444	cmd.exe	37
PID 2444 wrote to memory of 2480	2444	cmd.exe	37
PID 2444 wrote to memory of 2480	2444	cmd.exe	37
PID 2672 wrote to memory of 1852	2672	Enigma Spoofer.exe	38
PID 2672 wrote to memory of 1852	2672	Enigma Spoofer.exe	38
PID 2672 wrote to memory of 1852	2672	Enigma Spoofer.exe	38
PID 2672 wrote to memory of 1852	2672	Enigma Spoofer.exe	38
PID 1852 wrote to memory of 1664	1852	Enigma Spoofer.exe	39
PID 1852 wrote to memory of 1664	1852	Enigma Spoofer.exe	39
PID 1852 wrote to memory of 1664	1852	Enigma Spoofer.exe	39
PID 1852 wrote to memory of 1664	1852	Enigma Spoofer.exe	39
PID 1664 wrote to memory of 712	1664	cmd.exe	41
PID 1664 wrote to memory of 712	1664	cmd.exe	41
PID 1664 wrote to memory of 712	1664	cmd.exe	41
PID 1664 wrote to memory of 712	1664	cmd.exe	41
PID 2480 wrote to memory of 2244	2480	smss.exe	45
PID 2480 wrote to memory of 2244	2480	smss.exe	45
PID 2480 wrote to memory of 2244	2480	smss.exe	45
PID 2244 wrote to memory of 1440	2244	cmd.exe	47
PID 2244 wrote to memory of 1440	2244	cmd.exe	47
PID 2244 wrote to memory of 1440	2244	cmd.exe	47
PID 2244 wrote to memory of 1004	2244	cmd.exe	48
PID 2244 wrote to memory of 1004	2244	cmd.exe	48
PID 2244 wrote to memory of 1004	2244	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\Enigma Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Enigma Temp.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
      4⤵
      PID:2260
- - C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
        5⤵
        
        PID:712
- C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe
  "C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ma9SXApHU0.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2708
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2744
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1440
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ENIGMA\FONT\5.TTF

Filesize
40KB

MD5
51569595124f88e0f8b2ac16d472c178

SHA1
66acb9b0321ff2a3e169eb61cf3836f10da76bb4

SHA256
b33178f9cf3d9e80bb1220567680d26c832f74885dfe2fb4afec094d6801c863

SHA512
a4bc617f5fd0c44576c7bbaa05e1c87b5e49969c29ae6aceb43189907f009caab5e8bf80dc6b44d845cd4284b7e852e5a30749492ef0b436d647671d76ef08e8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\69ddcba757bf72

Filesize
717B

MD5
744e852b2638e92bd7c0e1e671788109

SHA1
ab640f2989ece5d6f251d9921d29b13e7cac362a

SHA256
0ae6233369f39cddaec13dd7b00ec6fd8bb7589468984e202d4355f8a113b3cb

SHA512
2ac1fcdde59f7c11ad401e1848cdb855d3c5c2eaaeec581d64a474bb9b50afcdbf113ed80a55c3dfdb8aa2017e71f8ea714676550ad829949891750c0d501729

Download Submit
C:\Program Files (x86)\Internet Explorer\5940a34987c991

Filesize
127B

MD5
3acbc4c9a8109175c95fb5de5d2e7ca7

SHA1
ac7151ce13f5327cc5eac8f9180a11dfaff82b66

SHA256
7dcf06937628f09111324c16ad94ed36d2dce11457e2f3bf4f2f1be0945e0f06

SHA512
dc1996d99be8fa1bd65647f18be0d1fe5bdc9ed7cf0e9a273d8c2c8bb06838eb947d5dc343cfa2700ca7900e0ddfbf69e778e1766c22dc66db81527e5104fb8e

Download Submit
C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0

Filesize
74B

MD5
1e6ff0dcd823427c8575843b7d23cd4c

SHA1
abcadf7a081d2fd6533acbeeee44d530d13e2aaa

SHA256
8ceb686a81e784fc5a31bfd88d0c451abc86e64123740325bca48b2e74edf7b2

SHA512
8c1104bc5161ea2b09bb6cf8d8724615d51bd638f6ed4ad19964645db906f97d4a38c042347523a17dbcba89a67accaca4ed07ea6c642066e5e0feca3b87c99f

Download Submit
C:\ProgramData\KeyAuth\debug\Enigma Spoofer\May_11_2024_logs.txt

Filesize
880B

MD5
c81f9ad57f205e2b51f8b1aaab511932

SHA1
17303332336c4ee116801dcf819befcafd721c15

SHA256
33c90e25c25412f1af03bcd1aa5a93d33618cc7bc0142911c02f4a40aea82b1a

SHA512
de502844fa89a77bcd9f141aa0f253beb797c66bbfc3efdb3b7c6796a4575273a4b099e0229e4e3d16ed27fc94d82cae379b365f38fb8285679bc5dde7e55025

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32aed900bd995936dec6cbd023141e28

SHA1
995a484098fe4ea04c4c2bfc40964747ed5b39db

SHA256
2beb3125bf4d90ba30c606a3f3e441aceb376751f53da6668f83a53143db5cf1

SHA512
36c8baae8ed30c95eafba7263324e913283a95ab7e15f8e9eb214642005579b258bede1f3a2d30cff9afc36a00aaa95c41b9ee1ddef2c20ec8af26a980929a04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f97c83d0f91b847142224c439d5b817

SHA1
d68905bd6dbb848b5cc04ff0aa6ecda87630c9ac

SHA256
4af45a79b4357b616b2c5bc605726f2cc742b2bda18768374437779706c020d4

SHA512
de0250c9620297e0497d9aaa0951798d866a65b6f375dc0c8492907dd3c1d9652d104045012d3416ef86232de2c8b708359dd6534afc95efef8fec6822543d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\99bbdbd32ba65b

Filesize
848B

MD5
fbf8824cb1ebe7678bb3e46722b71748

SHA1
be96e985c795da238b7535e1f614eaa4dde825be

SHA256
8d979ff3516eefaf60e61deefdd082d5ceb8a95104d0556f963b387afc333a2f

SHA512
0b5b5ae47569cfbd30fe56c2ae7739ed7b93df9737aa905b9496eeee13afd0500ffc8ab193d17e8e7f72dba5a48095ed964bc7dd721cef290b9e6b5d22b9f499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab347A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
307B

MD5
035533505e0491e4efcea890aa92b7c3

SHA1
a0d19bde992b59ac6af5c09d53a4bf797aed9c2e

SHA256
2e420f2c0caeee770876db6fd31fc9b9a187f11fe88135ffd39b5f3d8d57ed5e

SHA512
26b807facf15cb2006161e8e929ac4b8b418a4c19a89ecd3f0ee163885359965986133586d73157b888fac09586b6328d695366e0d19b3428458ea8c61fd6107

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ma9SXApHU0.bat

Filesize
252B

MD5
a7b99b806924ef4743e527b4422e3790

SHA1
d5ef9dac72bdf391034dacbb0f359774eb03b9e6

SHA256
d696d4d3cc8271485ee30ce1d46f7fd126fdce8eeb435b99e94f869443b6f982

SHA512
c0dda0116527aeb37a7b5eeb85fbf3fd2e37b156cfcda5121afc9d82b49c25c5eab30f90844998421923ec5b9f0b870db0c3dc13c7b9b1528926d9c54291da9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar356B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe

Filesize
1.6MB

MD5
9ba0957ffbb353c1049ebc0b95f8ee1f

SHA1
fb11f43950536c6949ba4c1158ba77de95f34e54

SHA256
55915d123ddb434090027502f8eb49f8e94de176905f28d733c914ab9f316359

SHA512
da975fec40d1a9d43eb716faaaef84e9f4fa9051525db62fdcd8f7383bc33c8e13ee6a6ad80580eabb00db5630fb9f0aa343ffa96634bc1f48df4dd124b379e4

Download Submit
C:\Windows\Fonts\42af1c969fbb7b

Filesize
312B

MD5
ef688661b59e78f4eb28d50a84f02aa0

SHA1
d994b1c20ecf9af0115a80badd74363f973e4d7e

SHA256
616be7eeb5b1b7982d78a2ddd4f9ac0b57e840242199fb322d44b0aa5a513739

SHA512
bb8b7894eaace8da41bcebfd75feb4e463f5e62acc254fc603b72e717490c0a86bdbff345e2b65f5bf963bff6c42602b7e4c608530bf7febe25918d8273038f0

Download Submit
C:\Windows\system\69ddcba757bf72

Filesize
824B

MD5
b10d308eac9adeb220377f607fd1334a

SHA1
271218590aafee5c92321058a0ec175e5e617292

SHA256
5f3486bd6ce8374654fe4dbf476dc5611506ec32a69988cc00ed12b96670b0e1

SHA512
442f65516c97153a2343264ada3dad3b219a65d0018aef4c23a6e8b4c4177adac9dc80dd6097e80f651da0509b82cde46f3efde95330f915757008e24373ad20

Download Submit
\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe

Filesize
7.3MB

MD5
f1fd79171f827a3f4a9c4a218cb418b8

SHA1
de7167406f15488f352ebf89baf52d59f3c89675

SHA256
b4219e46557eea00c0feeeb0826051a1bd101b6960b600afd73ab8e0f51fe501

SHA512
1d96631359d2f60443df74a3e247d2e8aae9f3a7a23864a2af6aaa1804bd2182e336409e450068282b5d7a456b0883659f69035805b06c2b2a611d884b8f25c6

Download Submit
memory/1284-56-0x0000000000930000-0x0000000000AC8000-memory.dmp

Filesize
1.6MB

Download
memory/2480-146-0x0000000000AD0000-0x0000000000C68000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x0000000009450000-0x0000000009502000-memory.dmp

Filesize
712KB

Download
memory/2672-58-0x0000000005610000-0x00000000059E6000-memory.dmp

Filesize
3.8MB

Download
memory/2672-54-0x00000000001C0000-0x0000000000914000-memory.dmp

Filesize
7.3MB

Download
memory/3004-22-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3004-55-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/3004-38-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/3004-57-0x0000000000408000-0x0000000001012000-memory.dmp

Filesize
12.0MB

Download
memory/3004-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3004-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3004-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3004-19-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3004-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3004-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3004-30-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3004-32-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3004-37-0x0000000000408000-0x0000000001012000-memory.dmp

Filesize
12.0MB

Download
memory/3004-35-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/3004-34-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3004-29-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3004-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download