b71669bf8d8db4fd50ef451f01ea511d16ed95944bf87fac8c7afb46c78be23d

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enigma.exe
Size

711KB
MD5

949b2bae6492ebe641f81740e47c01c5
SHA1

cf89b182339a51701a6e576a5478671c4c57021a
SHA256

134282891e882a7c8f71ed27214a8699dbb60c801353ad077f1265a572ace5bf
SHA512

0ae421dda3945046c95924edcd2b9c5d09cb320916404e1cab329e8848e653e08695f668f4c0929c5736d5a897bbc031128574377478300ebb02930c07e48104
SSDEEP

12288:3ez64idqsJUtFG5+0ZsmB3De1JnESqaUU2f7KK9Dk:uz64id/O0SmB32JnETBjS

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Enigma.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Enigma.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Enigma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Enigma.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\Fax\Personal CoverPages\desktop.ini	FXSCOVER.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2516	Enigma.exe
2516	Enigma.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Enigma.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\print\command	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\print	FXSCOVER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\DefaultIcon\ = "C:\\Windows\\system32\\FXSCOVER.exe,1"	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\DefaultIcon	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document	FXSCOVER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\ = "Fax Cover Page"	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\open\command	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell	FXSCOVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\open	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe
2516	Enigma.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	FXSCOVER.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2492	FXSCOVER.exe
2492	FXSCOVER.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2524	2516	Enigma.exe	31
PID 2516 wrote to memory of 2524	2516	Enigma.exe	31
PID 2516 wrote to memory of 2524	2516	Enigma.exe	31
PID 2516 wrote to memory of 2508	2516	Enigma.exe	32
PID 2516 wrote to memory of 2508	2516	Enigma.exe	32
PID 2516 wrote to memory of 2508	2516	Enigma.exe	32
PID 2516 wrote to memory of 656	2516	Enigma.exe	33
PID 2516 wrote to memory of 656	2516	Enigma.exe	33
PID 2516 wrote to memory of 656	2516	Enigma.exe	33
PID 656 wrote to memory of 2492	656	cmd.exe	34
PID 656 wrote to memory of 2492	656	cmd.exe	34
PID 656 wrote to memory of 2492	656	cmd.exe	34
PID 2516 wrote to memory of 1888	2516	Enigma.exe	35
PID 2516 wrote to memory of 1888	2516	Enigma.exe	35
PID 2516 wrote to memory of 1888	2516	Enigma.exe	35
PID 2516 wrote to memory of 1504	2516	Enigma.exe	36
PID 2516 wrote to memory of 1504	2516	Enigma.exe	36
PID 2516 wrote to memory of 1504	2516	Enigma.exe	36

C:\Users\Admin\AppData\Local\Temp\Enigma.exe
"C:\Users\Admin\AppData\Local\Temp\Enigma.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color D
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start FXSCOVER.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\FXSCOVER.exe
    FXSCOVER.exe
    3⤵
    - Drops desktop.ini file(s)
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:1888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2516 -s 188
  2⤵
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Fax\Personal CoverPages\desktop.ini

Filesize
83B

MD5
598e1a868a65c0b66b59c088f52360ba

SHA1
54418059a2190ee09d84dd1dfb80ce44f1fc661e

SHA256
c183370acb893e1c862bb094ffa9abc34af886933ef45a572d4bcf52f845bbb2

SHA512
dce894ce4ffd8c2cc14a83d1416c0a2ea2d4abe02eda88cee571ecdba094c2d458b4f6644969cf0e96baf3367c286bfa01099400ae5d0cbe0b3ed97f8e803edd

Download Submit
memory/2516-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2516-12-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2516-36-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download