Malware Analysis Report

2024-10-10 08:31

Sample ID 240619-29c9rs1blr
Target EnigmaSpf.zip
SHA256 cfc6d572bd3b9eb1ac7781cfcfc60a1b5c536d1d169d7f19e51298b82df1ed4e
Tags
blankgrabber evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfc6d572bd3b9eb1ac7781cfcfc60a1b5c536d1d169d7f19e51298b82df1ed4e

Threat Level: Known bad

The file EnigmaSpf.zip was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion execution

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Looks for VirtualBox Guest Additions in registry

Stops running service(s)

Checks BIOS information in registry

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 23:16

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 23:16

Reported

2024-06-19 23:16

Platform

win10v2004-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 23:16

Reported

2024-06-19 23:17

Platform

win10v2004-20240611-en

Max time kernel

7s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4536 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4536 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4536 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4536 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4536 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2432 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 664 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4440 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4440 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2432 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2264 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 968 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 968 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2432 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 464 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3352 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3352 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color E

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq floss*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
N/A 127.0.0.1:59554 tcp
N/A 127.0.0.1:59556 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp

Files

memory/2432-0-0x00007FF8A4F70000-0x00007FF8A4F71000-memory.dmp