a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
283s
max time network
333s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/NoEscape8.0.exe
Size

15.0MB
MD5

1c18f75dafd667fb5559cf9b7cb5868e
SHA1

deab3392cf25ebc52f15ecdcf7e4187dcaec81f7
SHA256

bf3c03ff11e6610bbf806084ec2d58cd5aacb87e52cbf965a789fa74584de3a5
SHA512

c68c8ee27265c81e7bb6ead434436398d198b9c2ce83092a8deb8539045b10b47ed660e2451297edd7eeebedc5254000fd5ad481f4642f64f4d74d6a964d3015
SSDEEP

393216:ph/RLjBJPkh/6StJ+4qnWSz0hgSovW+PABRMW:phVcm9z06WEORX

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 6 IoCs

Processes:

boot.exeINV.exetunnel.exemelter.exe10.exeMagix.exe

pid process

4240 boot.exe
2240 INV.exe
1748 tunnel.exe
2532 melter.exe
4844 10.exe
4564 Magix.exe

pid	process
4240	boot.exe
2240	INV.exe
1748	tunnel.exe
2532	melter.exe
4844	10.exe
4564	Magix.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NoEscape8.0.execmd.exeWScript.execmd.exe10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NoEscape8.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	10.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

boot.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	boot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\yourpc\\boot.exe"	boot.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

boot.exe

description ioc process

File opened for modification \??\PhysicalDrive0 boot.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4516 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2588 timeout.exe
2008 timeout.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	boot.exe

pid	process
4516	schtasks.exe

pid	process
2588	timeout.exe
2008	timeout.exe

Modifies registry class 3 IoCs

Processes:

cmd.exe10.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	10.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1472 reg.exe

pid	process
1472	reg.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

NoEscape8.0.execmd.exeWScript.execmd.exeboot.exe10.exe

description	pid	process	target process
PID 3644 wrote to memory of 2656	3644	NoEscape8.0.exe	cmd.exe
PID 3644 wrote to memory of 2656	3644	NoEscape8.0.exe	cmd.exe
PID 3644 wrote to memory of 2656	3644	NoEscape8.0.exe	cmd.exe
PID 2656 wrote to memory of 3868	2656	cmd.exe	WScript.exe
PID 2656 wrote to memory of 3868	2656	cmd.exe	WScript.exe
PID 2656 wrote to memory of 3868	2656	cmd.exe	WScript.exe
PID 3868 wrote to memory of 3692	3868	WScript.exe	cmd.exe
PID 3868 wrote to memory of 3692	3868	WScript.exe	cmd.exe
PID 3868 wrote to memory of 3692	3868	WScript.exe	cmd.exe
PID 3692 wrote to memory of 4240	3692	cmd.exe	boot.exe
PID 3692 wrote to memory of 4240	3692	cmd.exe	boot.exe
PID 3692 wrote to memory of 4240	3692	cmd.exe	boot.exe
PID 4240 wrote to memory of 4516	4240	boot.exe	schtasks.exe
PID 4240 wrote to memory of 4516	4240	boot.exe	schtasks.exe
PID 4240 wrote to memory of 4516	4240	boot.exe	schtasks.exe
PID 3692 wrote to memory of 2788	3692	cmd.exe	WScript.exe
PID 3692 wrote to memory of 2788	3692	cmd.exe	WScript.exe
PID 3692 wrote to memory of 2788	3692	cmd.exe	WScript.exe
PID 3692 wrote to memory of 1472	3692	cmd.exe	reg.exe
PID 3692 wrote to memory of 1472	3692	cmd.exe	reg.exe
PID 3692 wrote to memory of 1472	3692	cmd.exe	reg.exe
PID 3692 wrote to memory of 2008	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 2008	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 2008	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 2240	3692	cmd.exe	INV.exe
PID 3692 wrote to memory of 2240	3692	cmd.exe	INV.exe
PID 3692 wrote to memory of 2240	3692	cmd.exe	INV.exe
PID 3692 wrote to memory of 1748	3692	cmd.exe	tunnel.exe
PID 3692 wrote to memory of 1748	3692	cmd.exe	tunnel.exe
PID 3692 wrote to memory of 1748	3692	cmd.exe	tunnel.exe
PID 3692 wrote to memory of 2532	3692	cmd.exe	melter.exe
PID 3692 wrote to memory of 2532	3692	cmd.exe	melter.exe
PID 3692 wrote to memory of 2532	3692	cmd.exe	melter.exe
PID 3692 wrote to memory of 4844	3692	cmd.exe	10.exe
PID 3692 wrote to memory of 4844	3692	cmd.exe	10.exe
PID 3692 wrote to memory of 4844	3692	cmd.exe	10.exe
PID 3692 wrote to memory of 4564	3692	cmd.exe	Magix.exe
PID 3692 wrote to memory of 4564	3692	cmd.exe	Magix.exe
PID 3692 wrote to memory of 2588	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 2588	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 2588	3692	cmd.exe	timeout.exe
PID 4844 wrote to memory of 1476	4844	10.exe	NOTEPAD.EXE
PID 4844 wrote to memory of 1476	4844	10.exe	NOTEPAD.EXE
PID 4844 wrote to memory of 1476	4844	10.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\yourpc\skid.bat" "
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\yourpc\run.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\yourpc\main.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692

C:\yourpc\boot.exe
boot.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\yourpc\boot.exe"
6⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\yourpc\es.vbs"
5⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 10
5⤵
- Delays execution with timeout.exe
PID:2008

C:\yourpc\INV.exe
INV.exe
5⤵
- Executes dropped EXE
PID:2240

C:\yourpc\tunnel.exe
tunnel.exe
5⤵
- Executes dropped EXE
PID:1748

C:\yourpc\melter.exe
melter.exe
5⤵
- Executes dropped EXE
PID:2532

C:\yourpc\10.exe
10.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\Desktop\18769.txt
6⤵
PID:1476

C:\yourpc\Magix.exe
Magix.exe
5⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\timeout.exe
timeout 30
5⤵
- Delays execution with timeout.exe
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\yourpc\10.exe
Filesize
291KB

MD5
e2001b6e75f84968a254b49faa45b7be

SHA1
c70f93d5833543bb96c06a2e5a6642da0b283f12

SHA256
fa758441587efb6f25391ceda3bf7c9293555dbd7d36472a2c76c3036f6d9c33

SHA512
ebcd62730268b7f6f8b880a7c6d321bfb444e4a6ae0ea9e1a1c02a00db5737abd09b4db5e4515a9060de6d95cba49c5bd0e69a9903bdfd1c54f18eeb031220e3

Download Submit
C:\yourpc\10.exe
Filesize
291KB

MD5
e2001b6e75f84968a254b49faa45b7be

SHA1
c70f93d5833543bb96c06a2e5a6642da0b283f12

SHA256
fa758441587efb6f25391ceda3bf7c9293555dbd7d36472a2c76c3036f6d9c33

SHA512
ebcd62730268b7f6f8b880a7c6d321bfb444e4a6ae0ea9e1a1c02a00db5737abd09b4db5e4515a9060de6d95cba49c5bd0e69a9903bdfd1c54f18eeb031220e3

Download Submit
C:\yourpc\INV.exe
Filesize
103KB

MD5
e079c468c9caed494623dbf95e9ce5e8

SHA1
4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

SHA256
8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

SHA512
d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

Download Submit
C:\yourpc\INV.exe
Filesize
103KB

MD5
e079c468c9caed494623dbf95e9ce5e8

SHA1
4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

SHA256
8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

SHA512
d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

Download Submit
C:\yourpc\Magix.exe
Filesize
59KB

MD5
026992ed7c38fae57e8839a6c0d883c8

SHA1
9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f

SHA256
68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645

SHA512
d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7

Download Submit
C:\yourpc\Magix.exe
Filesize
59KB

MD5
026992ed7c38fae57e8839a6c0d883c8

SHA1
9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f

SHA256
68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645

SHA512
d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7

Download Submit
C:\yourpc\boot.exe
Filesize
150KB

MD5
0b71c2b0a5cb052457abd1e09f6302cb

SHA1
e17040a434a818b98d6c217bb73ccdcdc603c56a

SHA256
986192549387d257436b94d956234dce12f151ce6904de660e5d39cfce21b775

SHA512
fd3e41b1fc8e9aa5f1a5da6161be6f4aa277e3e1377f20ffd217004bc015ddbf3e4c80a7316d99fdfda6e32d497a0996eecb4ddc55b0b011e7c9a74944fbe1d5

Download Submit
C:\yourpc\boot.exe
Filesize
150KB

MD5
0b71c2b0a5cb052457abd1e09f6302cb

SHA1
e17040a434a818b98d6c217bb73ccdcdc603c56a

SHA256
986192549387d257436b94d956234dce12f151ce6904de660e5d39cfce21b775

SHA512
fd3e41b1fc8e9aa5f1a5da6161be6f4aa277e3e1377f20ffd217004bc015ddbf3e4c80a7316d99fdfda6e32d497a0996eecb4ddc55b0b011e7c9a74944fbe1d5

Download Submit
C:\yourpc\es.vbs
Filesize
39B

MD5
9c2d6662913494f5f7ecc95564f87132

SHA1
e62502b0da2c9714b4cc1bae0f39c7014a9b2d00

SHA256
095f01222915f9f8d71edb1593d70b7336c89aed4b42b14dc8e5cff482ab8d3b

SHA512
366b4739de8aaddf5133a9f50589e870b187ee0a366c4c3166adcb071c8d3aa180d978c3f85916690763dcd0d99449782ecd18df5144447695490b112f9d4cbc

Download Submit
C:\yourpc\main.bat
Filesize
1KB

MD5
d381fdbe8f6a130e25247fa1e029805b

SHA1
618a09cf851eb5bea77595df2e66412d2d954cba

SHA256
9eca23b0358e5507734ef7a2247c310c7be23c85776913c49947afb41c885273

SHA512
f1f7ca8d93c9764a6223121943fb2b31bd896df975a1c17f745a66cdd5777fe8e0197721da0b9e1610b2a5bdbd8b4ecb4d676df09baef7f35a038a7e5a97a444

Download Submit
C:\yourpc\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\yourpc\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\yourpc\run.vbs
Filesize
54B

MD5
95cd248d3e5740a059a01eeef728ab48

SHA1
ae3e55904ade22ab4672f1f85db865e8e66fcff6

SHA256
ac59324226f082c21f5364d027f364086e86c9488dce674d7e93bf5c7c0cbcea

SHA512
aa149aa3b524002defd4f92579f672e6e5f3f2deb5124f5adf8980e8386e0faf8f81a5b9667751ac6e19dd3b50f1688a7dfd147e18c9de229ce6f955184ad4b3

Download Submit
C:\yourpc\skid.bat
Filesize
310B

MD5
427d18145e233d828cdbad04596134c9

SHA1
84cb6fae8ee844be1fd9eda8a6a74a5cce97ded8

SHA256
23efa2c8b42c0c599a2bd60cadfab2eac3a439e891509dc70c1ee2a9f5e86f2c

SHA512
fd5e0a70a4bd082311ab5559b832ba8ae8fce91a62faeec827e3a14a302ceda3697b2cc4d9f1c082170fe22ffff52b022791ebc8c6ec35a3946a9c3712e99444

Download Submit
C:\yourpc\tunnel.exe
Filesize
103KB

MD5
7dae1fb2e3a65e8dd594b021a6923e24

SHA1
acd069dc223cc4802402944e5afec57d2ae31c08

SHA256
732adadb4c7167e61f0f5763c2c01e43fb01369683d23c9652aea99f6c42c810

SHA512
121f7f7c30361aa141192586133a670d989b2615d7e451b0e5a2e5375c46a67c9c404df4575778b7474ddf48b1be2d29d61df7d534473725d66295b3d4ef2919

Download Submit
C:\yourpc\tunnel.exe
Filesize
103KB

MD5
7dae1fb2e3a65e8dd594b021a6923e24

SHA1
acd069dc223cc4802402944e5afec57d2ae31c08

SHA256
732adadb4c7167e61f0f5763c2c01e43fb01369683d23c9652aea99f6c42c810

SHA512
121f7f7c30361aa141192586133a670d989b2615d7e451b0e5a2e5375c46a67c9c404df4575778b7474ddf48b1be2d29d61df7d534473725d66295b3d4ef2919

Download Submit
memory/1472-144-0x0000000000000000-mapping.dmp

Download
memory/1476-162-0x0000000000000000-mapping.dmp

Download
memory/1748-148-0x0000000000000000-mapping.dmp

Download
memory/2008-145-0x0000000000000000-mapping.dmp

Download
memory/2240-146-0x0000000000000000-mapping.dmp

Download
memory/2532-150-0x0000000000000000-mapping.dmp

Download
memory/2588-160-0x0000000000000000-mapping.dmp

Download
memory/2656-132-0x0000000000000000-mapping.dmp

Download
memory/2788-143-0x0000000000000000-mapping.dmp

Download
memory/3692-137-0x0000000000000000-mapping.dmp

Download
memory/3868-135-0x0000000000000000-mapping.dmp

Download
memory/4240-138-0x0000000000000000-mapping.dmp

Download
memory/4516-141-0x0000000000000000-mapping.dmp

Download
memory/4564-156-0x0000000000000000-mapping.dmp

Download
memory/4844-153-0x0000000000000000-mapping.dmp

Download