hxxp://github[.]com

Resubmissions

22/02/2024, 10:07

240222-l5p5rsgb36 1

22/02/2024, 10:03

240222-l3ntxsfe51 10

Analysis

max time kernel
101s
max time network
113s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2356	NoEscape.exe
4884	NoEscape.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
25	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "212"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	chrome.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4508	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2244	1976	chrome.exe	80
PID 1976 wrote to memory of 2244	1976	chrome.exe	80
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 3264	1976	chrome.exe	82
PID 1976 wrote to memory of 4192	1976	chrome.exe	83
PID 1976 wrote to memory of 4192	1976	chrome.exe	83
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84
PID 1976 wrote to memory of 4412	1976	chrome.exe	84

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff9ac2e9758,0x7ff9ac2e9768,0x7ff9ac2e9778
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:2
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1536 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4860 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4620 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5012 --field-trial-handle=1836,i,1359608151421004673,7033320699357933691,131072 /prefetch:8
  2⤵
  PID:4340
- C:\Users\Admin\Downloads\NoEscape.exe
  "C:\Users\Admin\Downloads\NoEscape.exe"
  2⤵
  - Executes dropped EXE
  PID:2356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Users\Admin\Downloads\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- NTFS ADS
- System policy modification
PID:4884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3974055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
657ed1b9ac0c74717ea560e6c23eae3e

SHA1
6d20c145f3aff13693c61aaac2efbc93066476ef

SHA256
ff95275ab9f5eadda334244325d601245c05592144758c1015d67554af125570

SHA512
60b6682071ade61ae76eed2fe8fa702963c04261bd179c29eed391184d40dc376136d3346b3809b05c44fb59f31b0e9ab95f1e6b19e735234d1f0613720e532f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
49KB

MD5
4b4947c20d0989be322a003596b94bdc

SHA1
f24db7a83eb52ecbd99c35c2af513e85a5a06dda

SHA256
96f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180

SHA512
2a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
43KB

MD5
8d1ef1b5e990728dc58e4540990abb3c

SHA1
79528be717f3be27ac2ff928512f21044273de31

SHA256
3bdb20d0034f62ebaa1b4f32de53ea7b5fd1a631923439ab0a24a31bccde86d9

SHA512
cd425e0469fdba5e508d08100c2e533ef095eeacf068f16b508b3467684a784755b1944b55eb054bbd21201ba4ce6247f459cc414029c7b0eb44bdb58c33ff14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
23KB

MD5
bc4836b104a72b46dcfc30b7164850f8

SHA1
390981a02ebaac911f5119d0fbca40838387b005

SHA256
0e0b0894faf2fc17d516cb2de5955e1f3ae4d5a8f149a5ab43c4e4c367a85929

SHA512
e96421dd2903edea7745971364f8913c2d6754138f516e97c758556a2c6a276ba198cdfa86eb26fe24a39259faff073d47ef995a82667fa7dee7b84f1c76c2b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
62728269e9555249fc0c0c108206dc14

SHA1
34619451a426ab33b1f7455a7763d60021bab1fb

SHA256
dd010ee180246951d0912af0ad76c1192a0a660c85765e0000ca687b02399900

SHA512
fddc7defa5e9598f2a412ed13b490d6938d997f3ad572c96466b8f816b96b1cd6d335390fcdf9c5afb6f87220005f7b8930572360f032b76dc7759c38f988c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4f076911760810f98b9c2a22cafd056c

SHA1
e3b7ce2f008cbd1b844b806c003619b4c5a29443

SHA256
1609f6c8d7ff4311a40fbf9688ae84b172fd7d09decd526e94c859111cb4b278

SHA512
7a280a36c12beab1dc827869340c22051f0e3c6398b72f2e5df3656344e407c526c5bef36f4af6aa2164ec4417a085890281be2efb5ff76ecdaaed55bf9104eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2da017fb535f629b5061609357f8073d

SHA1
41b40e2207af04d10db5322287653c1821236ff0

SHA256
b3ec19534a9aa0615c804b70749e538f432d439583973e2388c33dd5b6905803

SHA512
27ca25e12da14d014c98c226dbdd13dbdf5e3a67c15c1a73b224bae43003c8ad88ef9511ab226153ad4bcf6d96df158cb99a4d40e0821d092ec0bf2ce4185e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba27c2b7cc5689939005ffd4c659a1b5

SHA1
d220829f680efc8eb0e480627027257997e05419

SHA256
e75687778063cd634d4532ea70a1cb0028375efa46c2e6cb2ffdc5f7b4e8c577

SHA512
c6801b6f08aca0ac2c1df7a3042a2387bf4473514ce9228831289756cf771e0730871109200eae84ec008d1b0dbc91fb4512e242e5201fcada5a928ac4556e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
390162ff07def86d9572731467edaa49

SHA1
6e863acb9ed8ac892fc877aa00686d99fc2f5eb9

SHA256
fe647c44c5e7604685a405b9cc4f62ab23a3ec23694c37bf20808f8a826788da

SHA512
b21cf664c4bb7cb3516768dca31af57f9882f7bb698d1604c3e2eb8a12b9e5c23a1252b5a0325b63aadd68814642740ab68ea531d2c45f28a89ba81b1f6e583f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c7fca675a2b2a8ac0e3259582e3d3433

SHA1
6b14088317d32cb178f4e900d0fc2bd2477f8b7d

SHA256
499d2346b374205109e33f25ac000642436578927cc35122c1020de63b497573

SHA512
a38093b18c8ce97f682f5ebd249de1e441712547ff1a9fbb851b1658d1a250cf49fafee642f3d6d2963206213f58cdd038fb49ddf9f982b8db0fd200c432bf66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
522fa54d5754992e37b4e69b4568c760

SHA1
14bf56d0c0bea89b30266ecfdedd047732b66ce3

SHA256
551f95caad1b232d29e4c9849fd71a861ceb9367a6923c24de6a35c6ffa9fcf1

SHA512
de49e193ca7cbfb6ca69d394dea059fc10173df510595bb14f26e7bfaf53efa0b5f1c04c4da6fa45180d6d94398ab855d782f27043bb0d7292b7962666e6ecea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4a72547324cb44333e2f98e8a1f0628d

SHA1
37a86c1e7e64ce164eb4a3bd8d154ea9f002a54c

SHA256
7b2fe9686de397edb29897589ab67c52cc4eecfd16dc496fbb00cbbb40a5532f

SHA512
da591dd198139d6fdc82be5cb44d0a37d3b68f82416c75368c0a4be5839abcf5da514c7e61b782b724b94fd7d2597456763c1b0f4a26e4afce38599eb7207a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4bb5a13099ba9038d66a193a504926bd

SHA1
79b6c4fbf3ea57612fa49f3bf98c0a8333960753

SHA256
c948c32caa644917f9b2e13d1861372a7281ae1c8aee7ed26b26777b65fcb1a3

SHA512
ba395a223b47a950009e0c718aaa3e9dc1a547cb95e4942f0dbbb37c107d2937c6bdc05efa90122e985eae7c5791efefbd7b453f8b966c60107272291edfb6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
942bde487922ddbbeeb8a0095d4008ab

SHA1
1d92f5a69b341b7a7d6a8c268fd12e16207c394a

SHA256
9642dc2fe34d0a0895ff4b866e4f3b4536aea0bc3cd1e8664efe8c7df272bef7

SHA512
e938586cd0afe22bdd19090adbb5cb6c4af14774d3f3811d4afdb38541e1f399d0888f9552fa74c2c166d20a75db423e7cbc9d1ff58af774257d81db9b48c9fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
904e25d619efe7d424640fd6103f55ea

SHA1
b5896797fb491bdb0cdd48cfe929bdf1cbc487b6

SHA256
516ee217559473e833b6d4aa17c9ea65f16e502c36d23c40a7c8c6fee80511ad

SHA512
a3e5a033fc61faa6d06ba7c10c25eea9ab5d5ead1a053220e80b4100a32b8c16b7a029f3b39bc428889c73cfc8345485ec00a51e4584ce5f76f1f1eacd41dec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3c53132826d0963213afe78fa54a4773

SHA1
6893fdb9fbd2766156a5d49eacb33c75b7d1fac9

SHA256
3e36dc63c36d8c02cffdd080d9f36adc02f0b037e9b8014a7a8f5330508ac2db

SHA512
be5827f560581f9dd8df26538baaac617bef2a738c07cca13513bed6a29397b12ec9947771e4634efa2ecd0f0d55cd43173f765b77b0546f92c842f8b0af1037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ed257685377caf66f54df2a028d97de4

SHA1
324ef71fc55c247d9a7b3d832d5c532692dbf71a

SHA256
b94ad2d2adb3129d41c45345c1774b977e94b1abdec289f03ff99c4052c377bc

SHA512
01b830849936dedb5179b504f124c954b2190eda069130e463d5e672d61fd94d97f0fd5ed9099beb0fefacb7a84d17ef853959cbddebdc8d56a8c063abf7daf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
4f854483604ecc672c1e510a94dd7383

SHA1
79102828e6fefaed0d73ba5a51980ee4d90eecbe

SHA256
6c0707469a1ccc10d2e8bbe47f74da1937aa12dcb37ed56504d6cac2efe05c66

SHA512
5601478440fdcfb70590ddffbfa3260595d7e6a2c52248021a85b5a9caa003c2d20af2fce7501c2b92e53998c384487cdc31d185d1d6c165c81ab79285726da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2e96875e03b428ceda36d6236bacd9e0

SHA1
fc97942ed3dc37171b8a3507d9f260732e937719

SHA256
9511cceb424ed383aaefa6ed731ec220e6a24190f9f50f1345c3170e0bacf048

SHA512
5d2bf4847bd2572f8cb58dccd6141b6818ca705b3fc65e8cc4a95c6dd14c62ad52202b5e594af6a5a7cec99892b6da8608a616311947dfd086a687b2d96f8254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
76bc839d47432e692815bfe2022b0b17

SHA1
fdab7b4b8337c0a617379b9be9314df5b3208628

SHA256
1153f9125cb55606650d19fe37fe22361855efa33db41e16db743885da51e886

SHA512
550a546657872cc45baf33889801220e79f7889296a2e52a71250b5b87d8452f63cfe06469e9662342aa16447e5694d33665dacaad39af03205c83d0010dc6ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590517.TMP

Filesize
89KB

MD5
6178a24526eb45141e48be371292abf4

SHA1
45edbbb65d17e095312134a5b7a49271a276b870

SHA256
9bb066d064c3e87b79078bc70b171a9c3568318ff267981b0acc2afc4d7b71d1

SHA512
a1b99d31eb10ee473013cf78fa83d521457a5326a5fbedc7561dfd2b8cf5b3f73e93a77243495ea4e3228c32f5c3e4db542cba3eba15a920c155ea9daf54f58c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Public\Desktop\ܰ℗ၾ⾞᩺⎚⟙ࠓ⑨〕ᡰ⤙ຣ⯶ᖚਞᢂـຯᅷῂգ⿅⮕ⱽԹ༒ᄱ₈ೣୱ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2356-462-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2356-477-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2356-452-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4884-504-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4884-681-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads