542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
Size

13.1MB
MD5

1a15e6606bac9647e7ad3caa543377cf
SHA1

bfb74e498c44d3a103ca3aa2831763fb417134d1
SHA256

fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
SHA512

e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd
SSDEEP

393216:S1RPq5dCsKSR65cX7Eyd/qnejOFxP7OEnl4L/Vvc:yP5iw56oyleej2OEnlwc

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3464	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	vc_redist.x86.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	vc_redist.x86.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3464	2376	vc_redist.x86.exe	80
PID 2376 wrote to memory of 3464	2376	vc_redist.x86.exe	80
PID 2376 wrote to memory of 3464	2376	vc_redist.x86.exe	80
PID 1244 wrote to memory of 3700	1244	msedge.exe	95
PID 1244 wrote to memory of 3700	1244	msedge.exe	95
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2676	1244	msedge.exe	96
PID 1244 wrote to memory of 2540	1244	msedge.exe	97
PID 1244 wrote to memory of 2540	1244	msedge.exe	97
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98
PID 1244 wrote to memory of 3020	1244	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{18E756E4-7EF3-4D2D-9581-E1979F191F1E} {D81854D0-EBA6-48EF-8732-AADB00BFA05C} 2376
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb8bbc075h7489h4c35ha52ch22dd20e4394c
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ff9de6a46f8,0x7ff9de6a4708,0x7ff9de6a4718
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,13278283145772869260,16292043293982936606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fbbaffc5a50295d007ab405b0885ab5

SHA1
518e87df81db1dded184c3e4e3f129cca15baba1

SHA256
b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6

SHA512
011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d19e5127-9ee7-44f1-8916-a3faa935ba27.tmp

Filesize
6KB

MD5
8f0d3b9ec7f6ca94ead8b7d3231155dc

SHA1
bccb75672d46d1ec2a2773c1cd790c0c0e13901b

SHA256
4f70298415373c6d40c92b571cce6178960ae46bf8a52bf213a70e45d8c2117c

SHA512
327719a7f942b539c058c5438a83f6af24ff8f5583f31a7c904840bc9b0eebd03fc949dd31e9a4b1fe6e4a63069bb5b1dbcff67a9c6623f1d75557a15138ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9a9b78cc223d249bcff30150afa5cfb4

SHA1
806659a2567d0c696fe427fe57026cfd3e397c8e

SHA256
41c78c237173098a4673d4e68b82146b8ab17db759d8d5d0c48812f104565851

SHA512
9514577537c7137b608b765c36a48adedc64614162c149ff740b3d015215e730f9f6da13e06b3a1ad944d74e7f672973dfcb9b7bc74dc61de667a1096cc0f848

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit