Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
289s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/03/2024, 05:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LocalAlloc/NO-ESCAPE
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
300 seconds
Behavioral task
behavioral2
Sample
https://github.com/LocalAlloc/NO-ESCAPE
Resource
win11-20240221-en
windows11-21h2-x64
8 signatures
300 seconds
General
-
Target
https://github.com/LocalAlloc/NO-ESCAPE
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133550404269458652" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3760 chrome.exe 3760 chrome.exe 1704 chrome.exe 1704 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3760 chrome.exe 3760 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe Token: SeShutdownPrivilege 3760 chrome.exe Token: SeCreatePagefilePrivilege 3760 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe 3760 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3760 wrote to memory of 2544 3760 chrome.exe 80 PID 3760 wrote to memory of 2544 3760 chrome.exe 80 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1300 3760 chrome.exe 83 PID 3760 wrote to memory of 1856 3760 chrome.exe 84 PID 3760 wrote to memory of 1856 3760 chrome.exe 84 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85 PID 3760 wrote to memory of 4272 3760 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/LocalAlloc/NO-ESCAPE1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc35269758,0x7ffc35269768,0x7ffc352697782⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1252 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:22⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:82⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:82⤵PID:4272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:12⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:12⤵PID:4136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:82⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:82⤵PID:440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 --field-trial-handle=1848,i,2509171431258155612,15755573069231123989,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5193b36f4356846390effef79e6e0ff8c
SHA1a5466c207fc17799caadab41b517194a218d6f70
SHA256e69889c2fb484235cd544da26e3794543b3b6c922bd94ad1e93d071e4c90974d
SHA5128f75c252728ca45a0561c16eb4e25960e176f7401ba0f1be76012558364019cd45dd2e8bfb1acec74410cbd2796a0b06b9c05709d7d8a81a40032f1f8b3b4ec9
-
Filesize
1KB
MD588b99747d1968cc6f83214a1b8d71f15
SHA1b385968f1d99ea10cb15ab44acce1c5e487addff
SHA25685d34efc72efc9ffb8162141dd1c9c8709d5139ca568db0c9dd949080cab1a90
SHA5120720b1d61e46a5ebcfa25f197de65536c4f53d91fafffc41c27393a07706a1a302327e456b2df82569e4e17fc66a0e5822c24453e3e65c4affd606f35b679029
-
Filesize
1KB
MD5b25f5db1618d7964e3d431dc25941c07
SHA1fb207f80130b6c7d49834fde6339af42af77785f
SHA25653a9159f5106694b57a73d87d85e0b01c88ca7bc8e2730cd27d2f79a075a926d
SHA51210a6c68146137336c099c53a89683825f89629ae2a9a7f88c315f6432b1353823996c3191c6970a1a2da990e4bcb745abd22843e8c74bcaa94baeb55b7db5328
-
Filesize
1KB
MD50184ed58277f7d606fd4f55e9e83b5ea
SHA11004e88f02f4b31ee683cb290dc67c26ffa999d4
SHA256f5bb41943aa45fe88836a7cd644cf72410c2c811764437c3079890c8bfbc32a1
SHA512f4d96b1fe0e5c8215c0327a6fa672a2a83b1d24fed541ad2307234b285aa4cfe35289718da6774cec68f8b78917f6a9fbe3a42c20d3fe67efe65fc293268868d
-
Filesize
6KB
MD513bff3bf37543b90bbfaeed4cc32753e
SHA12cf5635b9f1b119edd16f41f89b071df8ec63691
SHA256b0726a58feb9939cb7b4355b52db1a933908d9de5905617d3c95a3a1b2840ad7
SHA512716759ab406476ffb112ea269458dc7d1693a6e822f08ad46be04f4012ecc7a9c2521d78de70a5f6cca6f2a9a3766c9409e675427863f60ff3f3677654a4cfcb
-
Filesize
130KB
MD5113f2f54ef11b814e6b96cdc1b043a78
SHA149ad85977fdfb61615e671e3a22b9d52ef313f35
SHA2561b54b5ef5db7f7c8f4687da59935bc49692d49cb4dfd09b99e23526eae667939
SHA5126e63355b4ad962b18ab914add136ac9b6f109a85a21c6505548cdf91d4fb0e4862cfe78b1d1d579b0fa0cb9cb92dd59dae1afe3c0f9b5d9bcd804a158c503946
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd