2e97ecb6cbe30536c04b3049eb3372dc6f3ef71354f898f448d4fdd1a560da24

Resubmissions

27-06-2023 22:30

230627-2eybfsff67 10

27-06-2023 22:26

230627-2cnn8sgf3w 10

Analysis

max time kernel
102s
max time network
107s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
27-06-2023 22:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

redirect.html
Size

6KB
MD5

0b375fb53042dad5215bdf5b50b9f8ef
SHA1

cb1c83d776609d4a50ac9a3232423979513beca9
SHA256

2e97ecb6cbe30536c04b3049eb3372dc6f3ef71354f898f448d4fdd1a560da24
SHA512

524b0c42bd77098c44d09518a02b23ab98653ec0c10621a8c1487b7a27bae60938d9cb1e14914985bdbab1e1691f65d802c03c2c59036451dfe5953b18d46be2
SSDEEP

192:dPHLxX7777/77QF7q0Lod4BYCIdDO/XGE:dPr5HYs0+CIdDO/X/

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133323784294975704"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4276	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4532	3316	chrome.exe	66
PID 3316 wrote to memory of 4532	3316	chrome.exe	66
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 4676	3316	chrome.exe	69
PID 3316 wrote to memory of 2616	3316	chrome.exe	68
PID 3316 wrote to memory of 2616	3316	chrome.exe	68
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70
PID 3316 wrote to memory of 4120	3316	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\redirect.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb55fd9758,0x7ffb55fd9768,0x7ffb55fd9778
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:2
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4364 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1668,i,7415984777815568485,3541690450327699227,131072 /prefetch:8
  2⤵
  PID:1444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:2792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\68b2c239-7ff0-4d08-990d-8dbc38b7a608.tmp

Filesize
175KB

MD5
b0fe260185f31646f667dea9f34de00e

SHA1
15b68e1c3618b33959e116ab0ac8f922d81b2974

SHA256
1e498ca08112dc8b629be5f37579368a6b9e06df6b81347f6c748c6b29732866

SHA512
d77e50b6a5b217991f9a1318333a7bc66c3332bcce1e8019ed10e62a6ce35b33db9761f5566407dc125bdb7f5a672ba56c00a99dfb9b2b6b75819c6b45fb50d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
29d467307f8b678232779483cd25e7e5

SHA1
977e120c58633b272c8cb9c95c1dcb112c16e0be

SHA256
b5d05d2d893f43edfe517359a431fd2d63448152695aeb5970dcdc96a47fb2bb

SHA512
199932dc192c9f608c0919fc34edc7c52dca54e1154ee7e6228a2ba99ec447502af9f4c412d12abb71fdfcc3a5b840b711565902ca00dab618632fecdbca1313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
132f3f5624eff5ceacf9af6651ffd62d

SHA1
3074c934fd52ade11372eb4f1e1ebb7e99ddfcb4

SHA256
3cd315da8e3036e264afc977ca7ff2825cfb60272b3e958b32f372ba09637b1a

SHA512
cd81431ffa22e9ff935e2e19648b2e1cb51153953a567800182e818183e232729215aff59d47ccdfb22526ed45681cc7a129259a95acb7981510a3b4afa78801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eb8f3621b9468ec6147aedc0cc4eeeab

SHA1
d6670ca1ba437e6e12aab328689058b8cce35f9b

SHA256
168fa6a1bdb69ab27bb3b9c85ad9ac90a2bde44c7c7c3561756dfe9336070c0e

SHA512
1e28a8e48433ea29d0e51ba5c7a62c19c28c6bda5b409287a9896240330a017a48796090699b8ea5a0ab6dcf1ac3567ea4ecb136162000ddf350c763867450e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e1735311672c9abab39a907c5042e016

SHA1
7cad53a74db92cc53c815dfa90362c74999ec6e9

SHA256
0a90e6a008003bb709250fd8737205753a717dec3c8d85995af48131d87d8a29

SHA512
53aea6504f59157ea1e55c36857b4146fba76536b1e47fbcc2486366365dc61775e39ef4210190400468cea516c4447c9a2d993cabb7d2237998426c26701b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
37cbdda19e5c3caa2bb27a87922dd1d4

SHA1
0d233e2a0b5bdb5ff64cea587e86562b8840b791

SHA256
253f32fa537dc8f1f717eb8a192f99005a2b3724cdea6a96f5e4fa1de22c83a9

SHA512
41c56f81a919d8022bb9bded9344bbeb93bba3022338865d3c705d88d20d4113fb60f41cfd0e697a95284e0860afce485cbace42a6fdc7707d242d822cb71c48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bf2300ebca40f3d594a2c72eef09ae01

SHA1
61c87e7e13a5a57134267332600326619f30c252

SHA256
b8294d2c7dd65cfc901229b47dd5535a9f814a10e2b17c3e1de345dc0d5e524b

SHA512
7dbf1714d267922d937467702b54d953c5930655b0fa4b7bd78d3d59367bb60adbf9a30e02fde6bc131a8dd3eabe0e161ccb65697408a2ec3426ff89e1b3ca36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
f88db6fc97645c04134347593de6c93e

SHA1
f56b4a23aa3bb0a6d966f475ade367e41901c31a

SHA256
2aa0b65ca0fba8a6f071003e3962e10b6617aa73f0b5223346a4f2a933242e20

SHA512
44ab4fc0ef40b38ba49d049d90d40e83fe2d4612dd529b6122e35029cd2b2e0e3a8145365568a1794810e1d87eacde5b90d6e552b6f55aac2b23b469b479f0e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
23bc3bfe47539eabe07aefcc7151e607

SHA1
49b310df584b9f2ab3b1915aec00f9978e4c8051

SHA256
d06077685acbecc58712e6872ad5eea98beace5eb7fdaa6a734e37825c3cf734

SHA512
47b64280f9fe7eb8ee4da3ebaae3b61593e4c6e0aa237aaa9bbbb60eae82d6dcd7b4f59e73082deb8862b5a3821e37564c0651b071102eca8706bc1a9129e444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip.crdownload

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\࣓րद⯃Ⅶᐡ᥍⛿᰽⭚᜜ᮦዯᵐ༶ࣨ⎓⎌൴ᅢẤଉ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2792-209-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2792-385-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads