Analysis

  • max time kernel
    104s
  • max time network
    114s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-es
  • resource tags

    arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    31/03/2023, 16:22

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Endermanch/MalwareDatabase/raw/master/NoEscape.zip

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/raw/master/NoEscape.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1564
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4844
    • C:\Users\Admin\Downloads\NoEscape\NoEscape.exe
      "C:\Users\Admin\Downloads\NoEscape\NoEscape.exe"
      1⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      PID:3204
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3484

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            bdbbd793778777706223b00a4ea24ed0

            SHA1

            bf09527cebe8906bfe6aa1e885bc9fb1b3ec54e4

            SHA256

            8b1034038298faf34d3f580c1ded7212f40d146de7e62cff20826c8b53f80c36

            SHA512

            7397d981e28bee91dd0e08c3a38444d8524204118548e8db810f5a277cbb08c20a64350063cf36ee4a943edba249f1d0ed350d4cfbc0671461cf27c2534c1f13

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            434B

            MD5

            e4564a9eb7c4e7c4409d5c7f645efe78

            SHA1

            504fec8bddea5574f6fde26d5d52ee4bcbf7e323

            SHA256

            1960111e7e736e94f578c4664a46673252f0707afc46808e7dd164a59e0d9068

            SHA512

            c0bc02cd8b92d07de0558a9c1ee7c3e2b6b864deda4b90aaa9abc84083b17f14756fa7e1dfba7b19bbae4e68ee4954d9a9bc09ed6f2433b6fd9cb166cf16a965

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\NoEscape[1].zip

            Filesize

            616KB

            MD5

            ef4fdf65fc90bfda8d1d2ae6d20aff60

            SHA1

            9431227836440c78f12bfb2cb3247d59f4d4640b

            SHA256

            47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

            SHA512

            6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\suggestions[1].es-ES

            Filesize

            18KB

            MD5

            e2749896090665aeb9b29bce1a591a75

            SHA1

            59e05283e04c6c0252d2b75d5141ba62d73e9df9

            SHA256

            d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

            SHA512

            c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\80V3M9UG.cookie

            Filesize

            613B

            MD5

            886ae12d7204d0ea25e25275cd8c2228

            SHA1

            a105632b8b46c2adcd7021b186995da6040fb7d1

            SHA256

            9640099c1fee0e9fe4db3f553ae7cc278ee9f4b9e11c50b7577af4310fe6049e

            SHA512

            0b63b416f0f5ba55d1101162a8be73bf0f97dde50e58fd3c63630a7198264d897e6ff80d92d6d84d313a9c96e270340a18a3ea10ceec52ff80334de08f139001

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VYMDQCW5.cookie

            Filesize

            613B

            MD5

            25e3a9625207c8c84f35057f7d260140

            SHA1

            3ebe1e7afa9a2098b22e188da9e68542885effe2

            SHA256

            9a085683a546526de997baa29b09378fae752af3a8eac46aa9f6918964b5c3a2

            SHA512

            b2fe29c178acc1346ae766af57d00aaccededab28a2eea1055081d060f3b61ebafd7bee7610e7e04e0880254757a64d8e9827aee397ffcbb4b71b35e1c966258

          • C:\Users\Admin\Downloads\NoEscape.zip.3bn8ens.partial

            Filesize

            616KB

            MD5

            ef4fdf65fc90bfda8d1d2ae6d20aff60

            SHA1

            9431227836440c78f12bfb2cb3247d59f4d4640b

            SHA256

            47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

            SHA512

            6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

          • C:\Users\Public\Desktop\ᘠ␻≆ၓㄪ٤⡊⯿ள⨛⦭ᣂ⻁බ⻔ऀ⃧ᦓ

            Filesize

            666B

            MD5

            e49f0a8effa6380b4518a8064f6d240b

            SHA1

            ba62ffe370e186b7f980922067ac68613521bd51

            SHA256

            8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

            SHA512

            de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

          • memory/3204-186-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/3204-362-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB