47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

Reason

Machine shutdown

General

Target

NoEscape.exe
Size

666KB
MD5

989ae3d195203b323aa2b3adf04e9833
SHA1

31a45521bc672abcf64e50284ca5d4e6b3687dc8
SHA256

d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
SHA512

e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305
SSDEEP

12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoEscape.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

Processes:

NoEscape.exe

description ioc process

File created C:\Windows\winnt32.exe NoEscape.exe
File opened for modification C:\Windows\winnt32.exe NoEscape.exe

description	ioc	process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4544 LogonUI.exe

pid	process
4544	LogonUI.exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
PID:1716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3adb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-125-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1716-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-127-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-165-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-167-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1716-168-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads