Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

NoEscape.zip

windows10-1703-x64

6

Resubmissions

25/04/2023, 15:04

230425-sfwdtacg8x 1

25/04/2023, 14:56

230425-sa76esah89 4

25/04/2023, 14:53

230425-r9k99sah77 1

25/04/2023, 14:49

230425-r67zvscg4s 6

25/04/2023, 14:42

230425-r28qlaah48 5

Analysis

  • max time kernel
    146s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/04/2023, 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoEscape.zip

  • Size

    616KB

  • MD5

    ef4fdf65fc90bfda8d1d2ae6d20aff60

  • SHA1

    9431227836440c78f12bfb2cb3247d59f4d4640b

  • SHA256

    47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

  • SHA512

    6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

  • SSDEEP

    12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
    1⤵
      PID:4024
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\BackupJoin.xhtml
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4400
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\BackupJoin.xhtml
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5008 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4624
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
      1⤵
        PID:1104
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
        1⤵
          PID:4528
        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
          1⤵
            PID:4828
          • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
            1⤵
              PID:4952
            • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
              1⤵
                PID:4960
              • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"
                1⤵
                • Checks processor information in registry
                • Enumerates system info in registry
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3144
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4540
                • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                  2⤵
                    PID:520
                  • C:\Windows\SysWOW64\unregmp2.exe
                    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4464
                    • C:\Windows\System32\unregmp2.exe
                      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                      3⤵
                      • Enumerates connected drives
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1020
                • C:\Program Files\VideoLAN\VLC\vlc.exe
                  "C:\Program Files\VideoLAN\VLC\vlc.exe"
                  1⤵
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:4900
                • C:\Windows\system32\mspaint.exe
                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"
                  1⤵
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:816
                • C:\Windows\system32\mspaint.exe
                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"
                  1⤵
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1852
                • C:\Windows\system32\mspaint.exe
                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"
                  1⤵
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:2540
                • \??\c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
                  1⤵
                    PID:3232
                  • C:\Windows\system32\mspaint.exe
                    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"
                    1⤵
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2288
                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushConvertTo.aif"
                    1⤵
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:2496
                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushConvertTo.aif"
                    1⤵
                      PID:1548
                    • C:\Windows\system32\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OpenPublish.ini
                      1⤵
                      • Opens file in notepad (likely ransom note)
                      PID:3984
                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompressClear.M2T"
                      1⤵
                        PID:1592
                      • C:\Windows\System32\xpsrchvw.exe
                        "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\EnableWait.eprtx"
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:1408
                      • C:\Windows\System32\xpsrchvw.exe
                        "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\EnableWait.eprtx"
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:3556
                      • C:\Windows\System32\fontview.exe
                        "C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ClearApprove.fon
                        1⤵
                          PID:2060

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{668C4E9B-E378-11ED-9346-7E4DEDD3F78C}.dat
                          Filesize

                          3KB

                          MD5

                          2f84c1fc8d3f0143cb9572a151396001

                          SHA1

                          0a61594d9a79ef57b454acd27c07d3daeb431ccf

                          SHA256

                          0bc91389043239807a8aa9ad35209d43b46dbf5e05f5ce8f1f0ac5c79e20af0f

                          SHA512

                          c82b270468485b834996a4971491d83182751ddaac4a76ddf106e3d7caedc383a17dc2c971e46f974e260cd8bf8524ab7ce711fe8c1c887b2855df150237cfd2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{669F618B-E378-11ED-9346-7E4DEDD3F78C}.dat
                          Filesize

                          5KB

                          MD5

                          8a49c6ea0120746ae4f2165939f45a34

                          SHA1

                          6649db86ffc782eedfbb0d6cc666414f5ef6c3c6

                          SHA256

                          e0e35e4e1b023896bd0665861cba345e8dc70d2ba9ac7666c6b6df9d2a1e6b71

                          SHA512

                          2b40652ed401acc7ae4e0650b2ee97ff28cb3d4cfc6fd56034d5d2c94e0731563769abdb08e91d98ff9ab0069db0b43a302aac4b53614a2619b30b8635943c8a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{DD985BA9-B146-11ED-933F-7A8F0EDDD75F}.dat
                          Filesize

                          5KB

                          MD5

                          977ba23e5fc3a876c2b2aaa351c9e0c6

                          SHA1

                          5473757efa83f270414f7944f3058338050f8969

                          SHA256

                          1a97d0bac4f128edd02fa546946b4c19d328c080ffa9a819459649f80e13a44f

                          SHA512

                          0dea4f897f9c222087629b50462884b1bd5b2f11600780cbfb77c42d9a2b8228cda10619c7f89001186c95ddd8514ef1e166513467a928c0225275253a8b9adb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{668C4E9E-E378-11ED-9346-7E4DEDD3F78C}.dat
                          Filesize

                          6KB

                          MD5

                          3f00a2d0c3ddedef75639cb1907f0df2

                          SHA1

                          316e44604c327c7bcd83bb2441052282fc9d9491

                          SHA256

                          f1ec536246d724ec3f5edbee02415cdd3231adff63b4db0919af250a3949a932

                          SHA512

                          c49f5f3f2405ed4fc85f99a4a6a1b7131685becd177368cd9570850e47b501a6da7923712eece912315dcda7fed9bfb10fa5e54f8616909de9ac2eacb20ea61d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver291.tmp
                          Filesize

                          15KB

                          MD5

                          1a545d0052b581fbb2ab4c52133846bc

                          SHA1

                          62f3266a9b9925cd6d98658b92adec673cbe3dd3

                          SHA256

                          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                          SHA512

                          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                          Filesize

                          384KB

                          MD5

                          9574d26ecc89d8ef027e51b9e47f2bc9

                          SHA1

                          1d6e6c558321dde60102ba63accf08b0a7d74cc5

                          SHA256

                          6dc988b85852834380f897e1b13c9a6e4f3f9bb6ae63ed3974b1005a979d6ebe

                          SHA512

                          60d552bcecc6c46d4e4c0c8f514cdcd9afde6256002ecb54342a2118ed496694485f1d2cda7082560f9a94b9ba1fb8da9bdd47f69a761a54873b51ad88e4ba7e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
                          Filesize

                          9KB

                          MD5

                          7050d5ae8acfbe560fa11073fef8185d

                          SHA1

                          5bc38e77ff06785fe0aec5a345c4ccd15752560e

                          SHA256

                          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                          SHA512

                          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp66296.WMC\allservices.xml
                          Filesize

                          546B

                          MD5

                          df03e65b8e082f24dab09c57bc9c6241

                          SHA1

                          6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

                          SHA256

                          155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

                          SHA512

                          ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp68093.WMC\serviceinfo.xml
                          Filesize

                          523B

                          MD5

                          d58da90d6dc51f97cb84dfbffe2b2300

                          SHA1

                          5f86b06b992a3146cb698a99932ead57a5ec4666

                          SHA256

                          93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

                          SHA512

                          7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                          Filesize

                          1KB

                          MD5

                          770da23a42f01fbc7b10b0204d9d72ec

                          SHA1

                          7e4e8e8059d29088c886835da55d2dbe0fdff8d8

                          SHA256

                          ce520676b20981509a9ccaa100ee7df8266338a771ed92a8f83b319a6f9013b6

                          SHA512

                          165ad1caf989546c7d122578533732fe94a74fe927d713bc0390a4d38c6fe257da32b2d16b10e53d30f530cf79e55fac713d0abcd5811fc90dfea2efa1a8426e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\~DFC922372A428859F7.TMP
                          Filesize

                          16KB

                          MD5

                          fc8b9e48bd82401d03b323be8db39847

                          SHA1

                          2352cd2041e886f7023c3ffe27ab92ce1a21acbb

                          SHA256

                          743f8a30682bbf219bed9babed65c73805fdf0037c7e181a2eaf288668968d71

                          SHA512

                          8275d5c8ea6e3c9f2ae37e5c5221b07c84f8dda5a22d40b1e2f2f61aff0c2f9b04044190d52edf0e8fa8aa2e4ecc34806e729e4d7dd6c8621a4a5907ccae62af

                          Download Submit

                        • C:\Windows\Debug\WIA\wiatrace.log
                          Filesize

                          4KB

                          MD5

                          b6c7877d8aa3c9650a1994d4a05b83ca

                          SHA1

                          bf81dfd367b0c5009346fcf51aafae974bd6bdf6

                          SHA256

                          5aba3263768b3199f71aa9982d9eb8eb82374c79c6b2fc3162226d3fb83004ea

                          SHA512

                          ea43b5ce762cf9019e682028428f162815d38335e4e1f294ba265aa9f2166a13637e2c5c6c52030dfed55f3c546bf74886505fcffb44944083b9bdf37f53f86a

                          Download Submit

                        • memory/1104-145-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1104-173-0x00007FFE3FE40000-0x00007FFE3FE50000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1104-142-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1104-137-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1104-148-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1548-513-0x00007FFE7AB10000-0x00007FFE7AB28000-memory.dmp

                          Filesize

                          96KB

                          Download

                        • memory/1548-510-0x00007FF636980000-0x00007FF636A78000-memory.dmp

                          Filesize

                          992KB

                          Download

                        • memory/1548-511-0x00007FFE77070000-0x00007FFE770A4000-memory.dmp

                          Filesize

                          208KB

                          Download

                        • memory/1548-512-0x00007FFE76660000-0x00007FFE76914000-memory.dmp

                          Filesize

                          2.7MB

                          Download

                        • memory/1548-514-0x00007FFE76B10000-0x00007FFE76B27000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/1548-515-0x00007FFE76AF0000-0x00007FFE76B01000-memory.dmp

                          Filesize

                          68KB

                          Download

                        • memory/1592-522-0x00007FF636980000-0x00007FF636A78000-memory.dmp

                          Filesize

                          992KB

                          Download

                        • memory/1592-523-0x00007FFE77070000-0x00007FFE770A4000-memory.dmp

                          Filesize

                          208KB

                          Download

                        • memory/3144-212-0x00007FFE3FE40000-0x00007FFE3FE50000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4528-221-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4528-227-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4528-239-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4528-232-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

                          Filesize

                          64KB

                          Download