Overview

overview

9

Static

static

1

Enigma_lnst.msi

windows10-1703-x64

9

Enigma_lnst.msi

windows7-x64

9

Enigma_lnst.msi

windows10-2004-x64

9

Enigma_lnst.msi

windows11-21h2-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    Enigma_lnst.rar

  • Size

    185.9MB

  • Sample

    240712-wjyj5atgnk

  • MD5

    098c5cce231340b042b8105413795086

  • SHA1

    e25eb36603ded4fddf07e522137ac8f09610e0df

  • SHA256

    7b1593c8787e0bb32479dfca9d18c122e9d1a470a35d3f42515829242d5ed96c

  • SHA512

    391604f2d6ca99cd72dc0ade323e59e42eeefc7a029337fc920e95945ecece809953e5c819a4530f07efc2266cff9b6ed56eefc82f55b8ebd38245678f6eeb40

  • SSDEEP

    3145728:Wr+QvRxmraKwjfd3eyFpPKeykNeIWxk5aGTVTl1LPl2DXMJlmVWXdEPrRU3eMy6r:M+rraKefdtF5KeykfWxk59VTHdUMPmoN

Score
9/10
defense_evasionevasionpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      Enigma_lnst.msi

    • Size

      186.9MB

    • MD5

      1befc9492cae2fa2ff5a89177e9d3063

    • SHA1

      061f689bb3802cf3da9cb5f8658beb5895d5650f

    • SHA256

      90cee7a2160a5506535b05a1da860b3db9270154a27b4614001a73921eb516f3

    • SHA512

      c199d79049af3c486fcbe35d6ae0825a8c2cae134fec4fe740c55c3677b29b7527958aaaf1c44890472af0a8d9e0e0db1ed96ca979da0619e089ff2486038243

    • SSDEEP

      3145728:L7y8IlnJhDfWQ3yIe3EPleGEHmdygafuvI2tc9XzlRn6lF+RQ+ZspLkOvnkBM+k6:i8oDfW6yIpPwGEHmdafuvXc9Bpe+S+6y

    Score
    9/10
    defense_evasionevasionpersistenceprivilege_escalation

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies RDP port number used by Windows

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

6
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Command and Control

Exfiltration

Impact

Tasks