hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbG5xUFlocUJBR2sxQkpuMUVkSk1URUptQVZOUXxBQ3Jtc0trUll2WkV1MXZhSkF0Y0plOE8yOWFiakU0bVpGeDJxcWt5WUE3U2dvVXptN0VDUDhENXBLQUt0SlRYVi1KMlRKRVEzRG9tdHhzZnNTR29vdERrem9EaWh4SU1ic1FjZEg2VTUwMXM3NWRvVjRFcnFpOA&q=https%3A%2F%2Fgithub[.]com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape[.]zip&v=4oATWyMMH4A

Resubmissions

19/12/2022, 19:24

221219-x4p9xsfh24 6

19/12/2022, 18:57

221219-xma4nsfg54 8

Analysis

max time kernel
67s
max time network
77s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19/12/2022, 19:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbG5xUFlocUJBR2sxQkpuMUVkSk1URUptQVZOUXxBQ3Jtc0trUll2WkV1MXZhSkF0Y0plOE8yOWFiakU0bVpGeDJxcWt5WUE3U2dvVXptN0VDUDhENXBLQUt0SlRYVi1KMlRKRVEzRG9tdHhzZnNTR29vdERrem9EaWh4SU1ic1FjZEg2VTUwMXM3NWRvVjRFcnFpOA&q=https%3A%2F%2Fgithub.com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape.zip&v=4oATWyMMH4A

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000009f5272c928a65aec65b97c541c5b48f36c5a3053122180e5dd6b032f35f4e38000000000e80000000020000200000008c193ae68fc87c287039c3331d3258f9818e7b402468f00d9242bc55afd6470d90000000df377996ffee6d3e7ccc44d1a85a1bea0a29ee811ec971ac305bc78c9ccc60cf5e96f8c91ce34c06dda5bafdb4fd7d238c2d3f39052b9ea19404135ab88c3304ea7b602c4399bb149511dd6e0e460f6966feffbaa8aee9ae651f80576bfcb3cd99757d32dd3e5df6451f14bad20fd5d404e1d3c1195a50b019aded9291ef74b919e903033ac2e160195fd188c0e4d3874000000008ea7fa74ed57172fde09e023dc213c05f05eff000aedb8d74281ac3e1fddd7830f3437d9e37f19519b083b126c582d729c63ce38263264099edd9fa4a6987e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1097e2f9e713d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378246463"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000006b73253a1d63662dfde0d6a0d4513f859c4080b16936019f55ddb2ace33bb9a6000000000e8000000002000020000000b0b85465641ac4dd90e692f2438364ea3dcf09f7727ae02548c47e240b3aef512000000032198f165bfc9067177b94413af32fc7ca6009b93110cc59e057f54fe75e5dcb40000000a55f883e7893f7f2c400f12664c974bb5a4e2e999c53fcf70748eaeb8e8b0a2308b060b4b074cc1a640dc266d9c9e74e4e63a314217d2997a2a064a975bf0d7a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2E7C8031-7FDB-11ED-8639-62E10F117DDC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1784	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1784	iexplore.exe
1784	iexplore.exe
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1340	1784	iexplore.exe	29
PID 1784 wrote to memory of 1340	1784	iexplore.exe	29
PID 1784 wrote to memory of 1340	1784	iexplore.exe	29
PID 1784 wrote to memory of 1340	1784	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbG5xUFlocUJBR2sxQkpuMUVkSk1URUptQVZOUXxBQ3Jtc0trUll2WkV1MXZhSkF0Y0plOE8yOWFiakU0bVpGeDJxcWt5WUE3U2dvVXptN0VDUDhENXBLQUt0SlRYVi1KMlRKRVEzRG9tdHhzZnNTR29vdERrem9EaWh4SU1ic1FjZEg2VTUwMXM3NWRvVjRFcnFpOA&q=https%3A%2F%2Fgithub.com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape.zip&v=4oATWyMMH4A
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ce8786c2568206c780a077d180eaf74

SHA1
13241a9b10881c3d9c0aa858c694d82f7d568d2c

SHA256
a7ddba9a8afe909953ab8c40e87b4074f91178642876e783209f5a09b322e2b8

SHA512
fee1f7f6ff8957cf626f5611fd8e6fd35768f2b4651150798392b9fb1a26b3573c320c9e26de14d84cafa30309833188785362eac17cbe080f6663fbf026666d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
478B

MD5
9bf768c63774cf3f401d65eedda90d8c

SHA1
ba4cf39c4c93b9ac5c47763de9ae7795100dd455

SHA256
7dcbac6b2d5397ca7a20e53254686924014c55e509feff86582f2a173950783d

SHA512
6f74d9599cc0c8bda83bcdef465b5f4ede1421389492152a124282fc3e67218567762780b76d9a005f9370dcb5c9919c0ee37310b603cee01d6a9582ed62495a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
1KB

MD5
d197d9af921e4263376d4eea60b9b898

SHA1
75a55da2a0447eff17cd66ebb59bd43543e8bb37

SHA256
49dc6a5b590f22963d30af7240cdfd48f2f1ceddc1f6ff2b8646515d76907006

SHA512
c8db32d9fb876b7313d8cee66ad8a7f357b700e4fc3b581a9dd78740f6c3e49f61c07b518ab50d63e62060aaf3f1b170c64e4d7a7e7f978933a11250f4cff4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3IJM3RKJ.txt

Filesize
601B

MD5
78e9e61fb9ce3d92c9a9856beae2da83

SHA1
37ab3f625d7d1a31a76e227b86172dfb67f3abf4

SHA256
dfc984ee3d2b450d0370e8cc87e67f99a3f689cfdf255dce5a82886994f14839

SHA512
9cf781e7d85853334e811aee420c16327bf41b158883da980141b1c2877556d6285d7e9b7304cd3206f17485a89e47af3b67c5ea0416db6bd4356742f3b97fd9

Download Submit