2c0db6f82d284440ff266e9da499bda498b32cfb445ddb9d70b24d4c7596531d

Analysis

max time kernel
26s
max time network
59s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.zip
Size

143KB
MD5

61eb95d9d0211d973f747e42d35cf778
SHA1

526fe4d31539220dc9b88b9b571fb87f37b1cf2c
SHA256

2c0db6f82d284440ff266e9da499bda498b32cfb445ddb9d70b24d4c7596531d
SHA512

8bc16676baae68dc198e5f1e3a6f88c15cf188c6eb5da222a71217969e47e799f2e7c84da07de7f3533075a3be518705b07bddd3a379c72ada95bf0224f6338e
SSDEEP

3072:zafpYYmMByc1zge3ZBOjS+rkPSfgIsqJnZ3P40Tltv8qQi+3Sno2WBZ4pSDuqJSd:aDuqJ+ffkvVSgE29xxspm0n1vuz3c9cU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe
Token: SeShutdownPrivilege	2496	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2184	2496	chrome.exe	29
PID 2496 wrote to memory of 2184	2496	chrome.exe	29
PID 2496 wrote to memory of 2184	2496	chrome.exe	29
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2880	2496	chrome.exe	31
PID 2496 wrote to memory of 2096	2496	chrome.exe	32
PID 2496 wrote to memory of 2096	2496	chrome.exe	32
PID 2496 wrote to memory of 2096	2496	chrome.exe	32
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33
PID 2496 wrote to memory of 2712	2496	chrome.exe	33

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
1⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68e9758,0x7fef68e9768,0x7fef68e9778
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2008 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:2
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3196 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3696 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1324 --field-trial-handle=1380,i,8093994030212294412,11091987886514108149,131072 /prefetch:1
  2⤵
  PID:1052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
359B

MD5
186ee97e0b08bb825e3f4824f1efcbc8

SHA1
a3d233c560ec8b6ba8334e614fb508fdb2e4221a

SHA256
044cb451b9b88a51a1f9b812be65df69d1226e4988523864a39e3d39cf2b3fab

SHA512
af85ceb95f28d6966375d52ab66491ba0ad495b17f174db29aaaa513c29954d0f2038f189dd5e5e6b4c49ce8412b7348dae8978c2fadfdc8ee12dd97d8e5cac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2fc4aee1cd7b1ae8d8435a46c9a1ec65

SHA1
6ed23b5e571e9669d8b364992f000c857ab9a17c

SHA256
0dd913791614a68b46d3702978d82752381f9d9f0874595e5a3f4c9cbae0fc24

SHA512
0d2974a92fc6d0084a3a48d9706344bf57cc878fe62ac545a4c0a7fde2465dfc2de5f14d770876060e934fbd376ce2db670f0305a0d9bb8b599c1d0ea1fcef60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit