47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-de
resource tags

arch:x64arch:x86image:win10v2004-20230703-delocale:de-deos:windows10-2004-x64systemwindows
submitted
06-08-2023 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.zip
Size

616KB
MD5

ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA1

9431227836440c78f12bfb2cb3247d59f4d4640b
SHA256

47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA512

6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
SSDEEP

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\NoEscape.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 2856 wrote to memory of 4380	2856	firefox.exe	94
PID 4380 wrote to memory of 3952	4380	firefox.exe	95
PID 4380 wrote to memory of 3952	4380	firefox.exe	95
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 3212	4380	firefox.exe	96
PID 4380 wrote to memory of 1300	4380	firefox.exe	97
PID 4380 wrote to memory of 1300	4380	firefox.exe	97
PID 4380 wrote to memory of 1300	4380	firefox.exe	97

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
1⤵
PID:2584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.0.1698889026\1017356743" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7153328c-1b75-46b2-9f1b-be5ce9388a0f} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 1964 1948e2dae58 gpu
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.1.2128733154\534563163" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {736dd5aa-c45d-4c27-8b95-01d6838cc870} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 2364 19481971958 socket
    3⤵
    PID:3212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.2.1597413102\930253849" -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3148 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d00c468-aaef-4d5f-8719-11f2505dbbff} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 3180 194923bd558 tab
    3⤵
    PID:1300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.3.1615595752\1335971188" -childID 2 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef9e63f6-32ae-4d19-bc5e-416d982ad988} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 3832 19490d5db58 tab
    3⤵
    PID:3324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.4.1044308585\1925178998" -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 4260 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {893e254d-83ac-47e7-a735-ca041a368715} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 4276 194929c6c58 tab
    3⤵
    PID:1484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.5.1888127431\939651497" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5072 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5334b7f-8595-449e-828f-4a78d6f896d2} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 5060 19493c7ae58 tab
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.7.722169704\291567830" -childID 6 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c975b3b-ebe2-4081-afd3-e9129f7eabb3} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 5456 194949f3f58 tab
    3⤵
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.6.1620077218\92496886" -childID 5 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ad0fb91-4efb-4265-803e-8f689082df3f} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 5264 194949f3958 tab
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.8.1653378729\1833822073" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 5860 -prefsLen 27057 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cc3e00-0110-4831-81c7-f8814531e60d} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 5896 194962aac58 tab
    3⤵
    PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\activity-stream.discovery_stream.json.tmp

Filesize
146KB

MD5
14245d7598abc63b491f8d6662753fe3

SHA1
684aed27b4e6256a38089075fcdfcb5e25b22559

SHA256
2bcb84257deffe9dbd250c7687ccf46bb23ee809421a932ec0430d6660260ccd

SHA512
417e844a60910989ceea89746ed7d20a1afd037b9d8a6960bfc89c25ff4f3e9d98c5bdedab3d9d085b113f2746a42c9011c46d8ea279276ee1679854c07231df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\doomed\1718

Filesize
38KB

MD5
7dd61bdef4e2b3027f76ee7ce7fb27a8

SHA1
4bacb945ea032c8f06f74b8c4c4feb0dd12cfabe

SHA256
612a70b0286d199909a80047cca066cb874ae130e725660712f6fcd6ad359b97

SHA512
17cf3cf96ad16fba199d5bd6d89ceb2247ac67c42ad589675b6d7ee3bfbc9a1d224c00ec4fa74f880691f7de8ec864a554477255de566f98e28d1f32143b4cb0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

Filesize
40KB

MD5
b48d361099544bf14ae318449225802a

SHA1
8066ae70bd6dc5b74ddd52201ee372d653bc68a2

SHA256
2ecbf654c2c01d1ae396e3ab6bd43c00d2bcddd1c21f93e6a398ead16572bc21

SHA512
dd49548aa8e79dba867e978fdbe5c43bc6adb5a0d70beb7fa190d36c4c85443962f7f6f11bec3c71d2af162eb74bcffe97314282de97fe5d95524abd2b30ff4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
7KB

MD5
336e84c979063d3efe0771b839ad6be4

SHA1
642e0d5bb85d02e4fe5b15ab5ffad98179b7eaf8

SHA256
ee95500515bd5d146bf1a519575dddd30ba79024918a47f604bb5fbd8736eed9

SHA512
14e6a48423e5d60729ba75961698083ae70eb426115ab87d2dc7e7ea716713ec55e727232c3acf3d44653776827adf25287fc815ba1825ed7c81d5d0b6053ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
6KB

MD5
0b0fe585c38323d5bc1a2c6189c9c73b

SHA1
4c1f11a100c99a27b1ca2ab25b0370e5bc1f86a6

SHA256
2ad480270facb240cfa301bc88b7a052db83c33842803546b79b7146330dfb7f

SHA512
0d345ae4d95282aa37383eee7691d75962794dbdb30602438609b327fc4cbaf14c0a9cba56504b21c9e755c11b762930eb4ef9d3e6c1b8769096748b8d3c91f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
6KB

MD5
a0413ebd05fa706a85ae430cfabf53e0

SHA1
3a27b698daea945aab9f01bb2b07f440f61f2298

SHA256
9d725df0184d9525a4716c85b12f72103c994012061d2323681d56b286bcff20

SHA512
f1518561f7fed75bb023e4422dd7954b939bf4a14eb4cfbd57c427d2e7cd6ba5bba8b674e7878e210313b7ad3c89afce7c731660028bac7e5678ab201f9939aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs.js

Filesize
6KB

MD5
93d0feb34edc11897258e299b2b543f2

SHA1
2871e5f7105637bc468d8800b5aeb4047533a5b9

SHA256
05cb3c57fb12fee0a0f4c7010172f33d4671eedc6f39342351ae67af0cc0c71c

SHA512
8f3926eb3c55faaa9aaeb5a62dc6688abec3fee1d883b039a04bc1ab6d9dd60bca4f7e73c3542b953c4f696a19a78dcd76f81d065eeff460e7b1820330cddf37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b2f97d2ee7eaee587d9cf887a5f9e6a0

SHA1
42ee9858631f483393ef16c2b4f20908b5f2a477

SHA256
02856bcd90e7f15c5136906a5063d84310d66e2e4cd87cc5b50108fb20f933aa

SHA512
ac3801ccd9159b260ec7a1318318889a565ff38daffed80a1dda6afa56a25be499af0b53d56b427436decaabc7107573818a4d81d2e5e1fc8aec6b6e96815b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
800c11642d96df484d5d65ee0f774d66

SHA1
f4cbbb7280541f1a8f19333982577e6be1e134cc

SHA256
d89df54c4fc05cfa0ec7c0d9f3ae0c1d8410d4abb281a17dd3156a9e5bcf4edb

SHA512
3c637eb01113ff49b48975b43a455e1ea0129c4c77a0d4efe7ec2b717f4ca065296badb31b61a0440a5f6e09fc4cb8b1dc9682aa38213915460850c232842f23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
dfcd237405adc0eedba1ebd9e9840f98

SHA1
5d2352824578d5bad1d374884a758dda9a471ae6

SHA256
864fd295e590a1446dd3743b43e484f507aa2ccea28b8217c220c40f955b26c2

SHA512
e73626dd525830b0ae8001bdb298c961e06302c4932a707b48c7def03722b3b64f04c55e1a53145e07dd5b21291a031aa922921a985b9162d071b5917fa57a48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
8513939d218a59169e72905c2f19d089

SHA1
ac92c3155070b92d229f448b1234953bcf7644ba

SHA256
c8331bb67c54efc1e19c6f8b9482d9c8ee4b1b2a32c480901480a630c084fec3

SHA512
94fe2577cf28856adc20ea278931088e469484a7d9bf6b9ffbcb232dd3b4f2a4033af5e1c008358db9ef21cb4204741ba25d03d6c2ca6cab9574630b5f643eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ece797bc5dbc8c47951a1b0e780a5a7a

SHA1
58717093390ce9b12cf8eef44108bcd41955205c

SHA256
4d17a6d6957167202e499728b96a3d195201a4a13a31a0f99723990038b63d38

SHA512
7c123ad8b7aa33c118c2bde2f7474298f29bbc2a9e5941c115266f810d54376052cdfdac0ff7d1cb1f4f4d97ae806c49dea0e91af066a92d6eff8d8a6eb7b792

Download Submit
C:\Users\Admin\Downloads\NoEscape.FjaBFH2z.zip.part

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit