Resubmissions

31/03/2023, 17:49

230331-wegqtade5v 1

31/03/2023, 17:46

230331-wctbtsde31 1

31/03/2023, 17:45

230331-wb591ade3w 1

31/03/2023, 17:24

230331-vyn4kadc8y 10

Analysis

  • max time kernel
    188s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 17:24

Errors

Reason
Machine shutdown

General

  • Target

    NoEscape.exe

  • Size

    666KB

  • MD5

    989ae3d195203b323aa2b3adf04e9833

  • SHA1

    31a45521bc672abcf64e50284ca5d4e6b3687dc8

  • SHA256

    d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

  • SHA512

    e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

  • SSDEEP

    12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoEscape.exe
    "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • System policy modification
    PID:4588
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb03ba394h485dh4bd1hbb51h75438eace8cb
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb8efc46f8,0x7ffb8efc4708,0x7ffb8efc4718
      2⤵
        PID:428
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39a5055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3524

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Desktop\ቬㄜዊḡ٩ᚾྤↇ⭪ᛥ઄ṫ✧ᅲٞ⶧ਹ⓸ᙎヤବ

            Filesize

            666B

            MD5

            e49f0a8effa6380b4518a8064f6d240b

            SHA1

            ba62ffe370e186b7f980922067ac68613521bd51

            SHA256

            8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

            SHA512

            de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

          • memory/4588-133-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-134-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-135-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-137-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-139-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-140-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-142-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

          • memory/4588-320-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB