Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
31-05-2023 15:49
General
-
Target
Setup_for_noescapepatch_NU-Km21.exe
-
Size
1.7MB
-
MD5
99a9fbd5fee72ce51585309390a46717
-
SHA1
ff39c56312090a909c2c0c82629c552a3b252a98
-
SHA256
833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa
-
SHA512
97f9a98fb48c8281818163d3dbe66fa246e1fe6a5a67f15175419992b0ca389cbe086e457177c21ce9c99ff05a1e0b508812cdf30220090a438dd8c94f73c6b7
-
SSDEEP
24576:R4nXubIQGyxbPV0db26Wmd0l4sv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO7:Rqe3f61mZSffPMWrQ0ZkA
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks for any installed AV software in registry 1 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_for_noescapepatch_NU-Km21.exe"C:\Users\Admin\AppData\Local\Temp\Setup_for_noescapepatch_NU-Km21.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-L74LG.tmp\Setup_for_noescapepatch_NU-Km21.tmp"C:\Users\Admin\AppData\Local\Temp\is-L74LG.tmp\Setup_for_noescapepatch_NU-Km21.tmp" /SL5="$1101E0,831488,831488,C:\Users\Admin\AppData\Local\Temp\Setup_for_noescapepatch_NU-Km21.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0CPTM.tmp\file_NU-Km21.exe"C:\Users\Admin\AppData\Local\Temp\is-0CPTM.tmp\file_NU-Km21.exe" /LANG=en /NA=Rh85hR643⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BKGCV.tmp\file_NU-Km21.tmp"C:\Users\Admin\AppData\Local\Temp\is-BKGCV.tmp\file_NU-Km21.tmp" /SL5="$201FC,1559708,780800,C:\Users\Admin\AppData\Local\Temp\is-0CPTM.tmp\file_NU-Km21.exe" /LANG=en /NA=Rh85hR644⤵
- Checks for any installed AV software in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Downloads\noescapepatch.exe"C:\Users\Admin\Downloads\noescapepatch.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6CI3IN3W\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WFEBWWFZ\www.fileplanet[1].xmlFilesize
116B
MD5e184b706e4be821cb935a3c843dad287
SHA1936291d5cd6bacc9257067d1f76ad492bbae5d5c
SHA2565d25e96fd1a2d38451205ec758dd8d4c671da4eb73d5d0211f558d02439a84d8
SHA51205dab706daff3d1bbba675c93facbeecd6e9f40f65d4c353d568f21dd2e3e93283109389c8f82324f6995fbb445b51427b26fed5a1e525cb807a960aec3b6e05
-
C:\Users\Admin\AppData\Local\Temp\is-0CPTM.tmp\file_NU-Km21.exeFilesize
2.3MB
MD5854429c43fa3da92acbc9e908087039f
SHA112cc8cb76ef5c5ab090b87df947f30d9f35ff4b4
SHA25645f726c1a73f45576716369fe7ba65df2f9785f237a07085986376f13f2787ed
SHA51281abfbfd2b6bd8f3e4a96fb4650c4183ff81afc07547dd5b86dc023ab824b3e5b343ed0e659bc8393cc668fd32748a02e3d41298e9f598336ae689bbc3cb4d8f
-
C:\Users\Admin\AppData\Local\Temp\is-0CPTM.tmp\file_NU-Km21.exeFilesize
2.3MB
MD5854429c43fa3da92acbc9e908087039f
SHA112cc8cb76ef5c5ab090b87df947f30d9f35ff4b4
SHA25645f726c1a73f45576716369fe7ba65df2f9785f237a07085986376f13f2787ed
SHA51281abfbfd2b6bd8f3e4a96fb4650c4183ff81afc07547dd5b86dc023ab824b3e5b343ed0e659bc8393cc668fd32748a02e3d41298e9f598336ae689bbc3cb4d8f
-
C:\Users\Admin\AppData\Local\Temp\is-BKGCV.tmp\file_NU-Km21.tmpFilesize
2.9MB
MD5623a3abd7b318e1f410b1e12a42c7b71
SHA188e34041850ec4019dae469adc608e867b936d21
SHA256fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3
SHA5129afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391
-
C:\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\AVAST.pngFilesize
64KB
MD5096ff7dbb7f5dfb71cf40fcd37a59fd6
SHA15cc8f2256ae43e597edaf7841771d7471d8d0590
SHA2566197d9ad63a37760e88b7ee53077faf94d0deeb9d8740428d2dc76a7242d7843
SHA5128a37e62cdd1989443f1ac98c0e827cdbdd00f1a9d243e7b433ce1bf5dbdd05c8e1c7fdc07261086c18b6e39d2494c3b2acaac60a24bec84f4631f295efc4891d
-
C:\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\finish.pngFilesize
2KB
MD57afaf9e0e99fd80fa1023a77524f5587
SHA1e20c9c27691810b388c73d2ca3e67e109c2b69b6
SHA256760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0
SHA512a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044
-
C:\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\mainlogo.pngFilesize
7KB
MD5c552e74a342cb35fa8b45ed4190c1609
SHA11e914f5a79af3bc1dc990a9f2d1ebdb41edc82d5
SHA256d386a1220f26de84d3b9a220db6a058e94d82b2403c8f70103ee20fa5579407f
SHA51280837907c8febe9306b149114b637b491bedede7c49d426e6ce9c1b416014c4beb4de57da1bef39a3783a345971b92532ce374f9138255588ebae6d15232a081
-
C:\Users\Admin\AppData\Local\Temp\is-L74LG.tmp\Setup_for_noescapepatch_NU-Km21.tmpFilesize
3.0MB
MD50c229cd26910820581b5809c62fe5619
SHA128c0630385b21f29e3e2bcc34865e5d15726eaa0
SHA256abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3
SHA512b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a
-
C:\Users\Admin\Downloads\noescapepatch.exeFilesize
1.7MB
MD571224f9ae64b4ae9b67c1416abd0b48e
SHA1968c2d4a428c709ff3b0a760c4ad0fb9fbb7f2e4
SHA256e78cb40d88f437a5140e36a47ee047e4d4f20363ac4966d63cbe0f37336dfa58
SHA512918a423d27afb7573f4e22d35edb530d0335538e0ba581011f9e39377dbf8093e1cd10b37cacc79bd29438bf67cd7faa245fb49b475e6f50279659a81836e9f7
-
C:\Users\Admin\Downloads\noescapepatch.exeFilesize
1.7MB
MD571224f9ae64b4ae9b67c1416abd0b48e
SHA1968c2d4a428c709ff3b0a760c4ad0fb9fbb7f2e4
SHA256e78cb40d88f437a5140e36a47ee047e4d4f20363ac4966d63cbe0f37336dfa58
SHA512918a423d27afb7573f4e22d35edb530d0335538e0ba581011f9e39377dbf8093e1cd10b37cacc79bd29438bf67cd7faa245fb49b475e6f50279659a81836e9f7
-
C:\Users\Admin\Downloads\noescapepatch.exeFilesize
1.7MB
MD571224f9ae64b4ae9b67c1416abd0b48e
SHA1968c2d4a428c709ff3b0a760c4ad0fb9fbb7f2e4
SHA256e78cb40d88f437a5140e36a47ee047e4d4f20363ac4966d63cbe0f37336dfa58
SHA512918a423d27afb7573f4e22d35edb530d0335538e0ba581011f9e39377dbf8093e1cd10b37cacc79bd29438bf67cd7faa245fb49b475e6f50279659a81836e9f7
-
\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\Helper.dllFilesize
2.0MB
MD54eb0347e66fa465f602e52c03e5c0b4b
SHA1fdfedb72614d10766565b7f12ab87f1fdca3ea81
SHA256c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc
SHA5124c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd
-
\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
\Users\Admin\AppData\Local\Temp\is-K6BK6.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
memory/1000-163-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/1000-164-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1000-165-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/1000-126-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1548-207-0x00000247A6710000-0x00000247A6720000-memory.dmpFilesize
64KB
-
memory/1548-225-0x00000247A6500000-0x00000247A6510000-memory.dmpFilesize
64KB
-
memory/1548-249-0x00000247AAC90000-0x00000247AAC92000-memory.dmpFilesize
8KB
-
memory/1548-248-0x00000247AAC60000-0x00000247AAC62000-memory.dmpFilesize
8KB
-
memory/1548-246-0x00000247AAB10000-0x00000247AAB12000-memory.dmpFilesize
8KB
-
memory/1548-244-0x00000247A6600000-0x00000247A6601000-memory.dmpFilesize
4KB
-
memory/3208-167-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3208-146-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3208-121-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4156-173-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4156-132-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4156-263-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4244-289-0x0000021268180000-0x0000021268182000-memory.dmpFilesize
8KB
-
memory/4244-293-0x0000021268450000-0x0000021268452000-memory.dmpFilesize
8KB
-
memory/4964-174-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4964-181-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4964-176-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/4964-175-0x0000000005350000-0x000000000535F000-memory.dmpFilesize
60KB
-
memory/4964-261-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4964-147-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/4964-196-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4964-157-0x0000000005350000-0x000000000535F000-memory.dmpFilesize
60KB
-
memory/4964-197-0x0000000005350000-0x000000000535F000-memory.dmpFilesize
60KB
