Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21/02/2024, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
NoEscape.exe/NoEscape.exe-Latest Version/NoEscape.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NoEscape.exe/NoEscape.exe-Latest Version/NoEscape.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
Resource
win10v2004-20240221-en
General
-
Target
NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
-
Size
13.1MB
-
MD5
1a15e6606bac9647e7ad3caa543377cf
-
SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1
-
SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
-
SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd
-
SSDEEP
393216:S1RPq5dCsKSR65cX7Eyd/qnejOFxP7OEnl4L/Vvc:yP5iw56oyleej2OEnlwc
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3464 vc_redist.x86.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ vc_redist.x86.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ vc_redist.x86.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 msedge.exe 2540 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3464 2376 vc_redist.x86.exe 80 PID 2376 wrote to memory of 3464 2376 vc_redist.x86.exe 80 PID 2376 wrote to memory of 3464 2376 vc_redist.x86.exe 80 PID 1244 wrote to memory of 3700 1244 msedge.exe 95 PID 1244 wrote to memory of 3700 1244 msedge.exe 95 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2676 1244 msedge.exe 96 PID 1244 wrote to memory of 2540 1244 msedge.exe 97 PID 1244 wrote to memory of 2540 1244 msedge.exe 97 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98 PID 1244 wrote to memory of 3020 1244 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{18E756E4-7EF3-4D2D-9581-E1979F191F1E} {D81854D0-EBA6-48EF-8732-AADB00BFA05C} 23762⤵
- Loads dropped DLL
- Modifies registry class
PID:3464
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb8bbc075h7489h4c35ha52ch22dd20e4394c1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ff9de6a46f8,0x7ff9de6a4708,0x7ff9de6a47182⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:82⤵PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d19e5127-9ee7-44f1-8916-a3faa935ba27.tmp
Filesize6KB
MD58f0d3b9ec7f6ca94ead8b7d3231155dc
SHA1bccb75672d46d1ec2a2773c1cd790c0c0e13901b
SHA2564f70298415373c6d40c92b571cce6178960ae46bf8a52bf213a70e45d8c2117c
SHA512327719a7f942b539c058c5438a83f6af24ff8f5583f31a7c904840bc9b0eebd03fc949dd31e9a4b1fe6e4a63069bb5b1dbcff67a9c6623f1d75557a15138ac5d
-
Filesize
8KB
MD59a9b78cc223d249bcff30150afa5cfb4
SHA1806659a2567d0c696fe427fe57026cfd3e397c8e
SHA25641c78c237173098a4673d4e68b82146b8ab17db759d8d5d0c48812f104565851
SHA5129514577537c7137b608b765c36a48adedc64614162c149ff740b3d015215e730f9f6da13e06b3a1ad944d74e7f672973dfcb9b7bc74dc61de667a1096cc0f848
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2