Malware Analysis Report

2024-10-10 08:27

Sample ID 240619-2z57sszgjr
Target EnigmaSpf.exe
SHA256 5ce97ad436f6aa47546f8f9866d4918d9681c060bd3051c18bb8c3d8850c13c5
Tags
blankgrabber evasion execution upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ce97ad436f6aa47546f8f9866d4918d9681c060bd3051c18bb8c3d8850c13c5

Threat Level: Known bad

The file EnigmaSpf.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber evasion execution upx

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Looks for VirtualBox Guest Additions in registry

Stops running service(s)

UPX packed file

Checks BIOS information in registry

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 23:02

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 23:02

Reported

2024-06-19 23:10

Platform

win7-20240611-en

Max time kernel

18s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2824 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2824 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2824 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2824 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2824 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2552 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2832 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2832 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2832 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2552 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2636 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2636 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2552 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2448 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2448 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2448 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2552 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 332 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 332 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 332 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color E

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq floss*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq floss*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\etc\antivm2.exe

C:\Windows\System32\drivers\etc\antivm2.exe

C:\Windows\System32\drivers\etc\antivm2.exe

C:\Windows\System32\drivers\etc\antivm2.exe

C:\Windows\System32\drivers\etc\antivm2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:49191 tcp
N/A 127.0.0.1:49193 tcp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 172.67.72.57:443 keyauth.win tcp

Files

memory/2552-0-0x0000000077790000-0x0000000077791000-memory.dmp

\Windows\System32\drivers\etc\antivm2.exe

MD5 f0c8dc0a4a0157fbfce0a7105cd195f0
SHA1 7244766403863fa1387ca42ad79932fb2dc16d80
SHA256 c9cdffbbcc3efe9527c13da931ee3a0fdc3c7e73b632b3046e7556653ea2ca81
SHA512 77fd135913e9911b3ee8c13ed470aa493d3e903220584035d286d0f97f4b740fdda7ed94070bedcc8fdecc30fa20117ba8fb12a62b6ac6f30b1f2ad025505107

C:\Users\Admin\AppData\Local\Temp\_MEI19682\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI19682\python312.dll

MD5 18677d48ba556e529b73d6e60afaf812
SHA1 68f93ed1e3425432ac639a8f0911c144f1d4c986
SHA256 8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8
SHA512 a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

\Users\Admin\AppData\Local\Temp\_MEI19682\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

\Users\Admin\AppData\Local\Temp\_MEI19682\api-ms-win-core-timezone-l1-1-0.dll

MD5 d12403ee11359259ba2b0706e5e5111c
SHA1 03cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256 f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA512 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

\Users\Admin\AppData\Local\Temp\_MEI19682\api-ms-win-core-file-l1-2-0.dll

MD5 1c58526d681efe507deb8f1935c75487
SHA1 0e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256 ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA512 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

\Users\Admin\AppData\Local\Temp\_MEI19682\api-ms-win-core-processthreads-l1-1-1.dll

MD5 517eb9e2cb671ae49f99173d7f7ce43f
SHA1 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA256 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

\Users\Admin\AppData\Local\Temp\_MEI19682\api-ms-win-core-localization-l1-2-0.dll

MD5 724223109e49cb01d61d63a8be926b8f
SHA1 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA256 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA512 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

memory/1952-81-0x000007FEF5B70000-0x000007FEF6234000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 23:02

Reported

2024-06-19 23:11

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe C:\Windows\system32\cmd.exe
PID 3564 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3564 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3564 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3564 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3564 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3564 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe

"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
N/A 127.0.0.1:51196 tcp
N/A 127.0.0.1:51198 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2064-0-0x00007FFB4F1B0000-0x00007FFB4F1B1000-memory.dmp