hxxps://example[.]com

Resubmissions

12-03-2024 13:45

240312-q2wklacc35 10

12-03-2024 13:33

240312-qtvy4ahh7z 10

Analysis

max time kernel
227s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 13:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://example.com

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoEscape.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

Processes:

NoEscape.exe

description ioc process

File created C:\Windows\winnt32.exe NoEscape.exe
File opened for modification C:\Windows\winnt32.exe NoEscape.exe

description	ioc	process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

msedge.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{AFA00F20-FBA6-4747-9F02-745BC7FF8E4B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shutdown.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	7080	shutdown.exe
Token: SeRemoteShutdownPrivilege	7080	shutdown.exe
Token: SeDebugPrivilege	3404	firefox.exe
Token: SeDebugPrivilege	3404	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3404 firefox.exe
3404 firefox.exe
3404 firefox.exe
3404 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3404 firefox.exe
3404 firefox.exe
3404 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeLogonUI.exe

pid process

3404 firefox.exe
6392 LogonUI.exe

pid	process
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe

pid	process
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe

pid	process
3404	firefox.exe
6392	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exe

description	pid	process	target process
PID 3404 wrote to memory of 3668	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3668	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 3692	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe
PID 3404 wrote to memory of 1664	3404	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://example.com
1⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5128 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5216 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5748 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:4204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.0.1268193872\1287608587" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55be9ae0-9dbe-4303-9309-1f5f1a73cda7} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 1880 27f7ece1e58 gpu
2⤵
PID:3668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.1.1742981366\918616449" -parentBuildID 20221007134813 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df04b745-010e-4149-991e-5541f1b03b0c} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 2288 27f7736fe58 socket
2⤵
PID:3692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.2.925438233\1577421731" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af7e1586-3ff3-44a7-b027-6fa97fcfe842} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 3152 27f07643758 tab
2⤵
PID:1664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.3.1925996067\2098215489" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17e817a-c952-4510-86b6-35c95676ab0c} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 3572 27f07cf9858 tab
2⤵
PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.4.1711411081\608087962" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8781972a-7197-4b8e-aa25-83a7b5eef17f} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 3688 27f07cf7758 tab
2⤵
PID:452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.5.1671239054\102467437" -childID 4 -isForBrowser -prefsHandle 3404 -prefMapHandle 3432 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fce8bdf-1a1b-4837-afd2-3696b3990a5d} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 3820 27f07cf8058 tab
2⤵
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.6.785202906\1803750244" -childID 5 -isForBrowser -prefsHandle 4408 -prefMapHandle 4404 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a74bcb23-6d56-42d0-a72a-80cdc00dbf53} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 4416 27f08aaa858 tab
2⤵
PID:6184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.7.15581276\2106219255" -childID 6 -isForBrowser -prefsHandle 5040 -prefMapHandle 4932 -prefsLen 26399 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6cfa87c-e962-45a2-bc2e-34c6a2e0f507} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 5032 27f09d9e358 tab
2⤵
PID:6924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5508 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3768 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6292 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4932 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6196 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6072 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6212 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4652 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6384 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=3824 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5148 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6788 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=5456 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:6404

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:7156

C:\Windows\system32\shutdown.exe
shutdown .a
2⤵
PID:6936

C:\Windows\system32\shutdown.exe
shutdown /a
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4604 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=3784 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:6372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5612 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:5696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Users\Admin\Desktop\NoEscape.exe
"C:\Users\Admin\Desktop\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:3340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3890855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
24d99bc007e925514ed3bd8f4d4ac769

SHA1
dd9e0a5003e6e84ab0227c2fd87e5a3cac051253

SHA256
dadfb06c280e22bdbdb912c52fbc485cb9bc32a5e80c16c3bc0f706acf03366b

SHA512
3075da7ee2b61651bb56c3a144418cab0769a19cce2ba6867b39b76a3be49e5628f7e3e1c7a13337307ddf3cf39fabc09b08103535ef1f670972af30112e7676

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\030fd96c-f1e1-42e0-816d-219ab0a1114e

Filesize
11KB

MD5
9d97680a17c0b0eb5db4ac723e7e0803

SHA1
cddc249f34706e653553a075b8d6f95550279eb7

SHA256
e2bab8a04d3ebcd3576f4f7fb0201e04116b61d3ef4edb5054d3dd52c4122f29

SHA512
ce13af8123fdfa72076842c414de5a4c06845c81dfb72aac80e3eb3e74095cadb870a0dd85c70b2d1610c769c0282a5a66e93ae6d223850b0f1aea29c74b6860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\bbca5d85-1ea3-4791-89b4-9aaba83bb47c

Filesize
746B

MD5
04884089507149272600d2b5f84118fa

SHA1
cf221cec149b42aab633e09b2188e41edb6c1709

SHA256
cd5d1bccd2f5cb98aeaa681f6bea5ea3a2e06e2cb4207293105632bebb38bb87

SHA512
fd591e97f4baaaf134daa5f0dd15c61d3eed80b5f26c2fa0c540fca8eb696ca00202d2c9f29857f431695c775092c8f3f74beb12220b620eedc6c522257d194a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs-1.js

Filesize
6KB

MD5
00c2e95f9d3fe8cbddbaeb132a0b418c

SHA1
0dc53f7fdd54e942a702cf4ed5d09dee10abf602

SHA256
8d405fb1728391c9a16b79600b05fbc9fdf6792ceffce9fd46145f9cbfab8a9d

SHA512
624600a75803d0f557544b96afd28998217d92c01fba89b1ff19483f3ada1c2e390f41973fac87d158415d6a4e7c63b25ca0bc70c8ff599dbfe200ab8036ea67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

Filesize
6KB

MD5
6c8d3f1f783dd782a6c2190f4b113d13

SHA1
d4900563438c840316edb45978576635ffd35a25

SHA256
7ea47462fdd610b56fab86bc38cba1f9907067559865b88bda6e5d759ffe83da

SHA512
d4b9d842e3a3a13d17fb7d336d39d8b322aca1cab63619c974540f69090e292ba18aaed8f101ef4e2895bacd14385a0f89c62e6843aa6900c4551f2cb394ffb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

Filesize
6KB

MD5
6af2e9a7c2efe7fc730a250712552942

SHA1
f22535f72dc8be98bf8ef601e855d3ba13c922b8

SHA256
ed1f774efda8af7b2a5866714dc7651abf04376d191ad9ccd0cb8e9a39aa6f9c

SHA512
bb5bb9859202bbea5f1c2fb8823ee8ae236552353fd9cdba0551034c5e6d693fbf1c3cdad470f86d8cd04ac541b6260ccb718a51a919d96b38962540a1906f19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
272B

MD5
ef5c113ff6045266949d2270071029ce

SHA1
f6599ba0e2659458e5f17f5f8f8d627876f9bd23

SHA256
c86bd802be3c458d3ef3ed226afabaee508367c2ebe3300e89191d2a08910852

SHA512
a8e2625a9e3802bc13e8561b4eaaaf75deab626c46913b4de0bc1fcd415e45053312248f8089498dba7083c24ea2e677b5bab328bbf9be093d97f8919284405f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0bab716ba04679d6f810690ee241d176

SHA1
80a6be2b6f817382dfee6f3e7180681a35135f88

SHA256
dc05f36b15565617e9203490f991ae802357bb0b349d333d77c40171622141b0

SHA512
217d0093eb40d4ef1d5ea055ad6f724d949313f1f36ae5e95a449bb69099566a7d00960f41021a606ce3661a210556e31ec5595432081c6aa15b0dc74fa736eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore.jsonlz4

Filesize
839B

MD5
4508243658b9d5173291d0457a0497cf

SHA1
a3a40600d017ba784040aa216561747ccdb1dddd

SHA256
2583bb414ce6ad958717b0e6b4bf2cf5313e9fe16e0bdad710a868ad853b5062

SHA512
7801c86bd3ea5ac813e182261e1370431107f3d8a7767571a7c00c12ef837515b4e7ee3030316f9d4b0b3447b08db46489d0c30fb4e228231fb9586584d2cf56

Download Submit
C:\Users\Public\Desktop\⊮ⳓ໼⒕्⹞ⵢ੉⻴ෛⲹ⵮⟐₾ ්୼⁡ᗃ܊ᦽ⅖⭶࿇ᩤ◫⚶

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/3340-123-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3340-300-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3340-124-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads