Analysis Overview
SHA256
cfc6d572bd3b9eb1ac7781cfcfc60a1b5c536d1d169d7f19e51298b82df1ed4e
Threat Level: Known bad
The file EnigmaSpf.zip was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Looks for VirtualBox Guest Additions in registry
Stops running service(s)
Checks BIOS information in registry
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 23:16
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 23:16
Reported
2024-06-19 23:16
Platform
win10v2004-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 23:16
Reported
2024-06-19 23:17
Platform
win10v2004-20240611-en
Max time kernel
7s
Max time network
17s
Command Line
Signatures
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color E
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq floss*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:59554 | tcp | |
| N/A | 127.0.0.1:59556 | tcp | |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
Files
memory/2432-0-0x00007FF8A4F70000-0x00007FF8A4F71000-memory.dmp