Overview

overview

10

Static

static

3

000.exe

windows7-x64

000.exe

windows10-2004-x64

Ana.exe

windows7-x64

8

Ana.exe

windows10-2004-x64

Bad Rabit.exe

windows7-x64

10

Bad Rabit.exe

windows10-2004-x64

10

D34TH 2.0 .bat

windows7-x64

8

D34TH 2.0 .bat

windows10-2004-x64

8

DDOS.bat

windows7-x64

3

DDOS.bat

windows10-2004-x64

7

Desktop Puzzle.exe

windows7-x64

1

Desktop Puzzle.exe

windows10-2004-x64

1

Memz.exe

windows7-x64

6

Memz.exe

windows10-2004-x64

7

NoEscape.exe

windows7-x64

1

NoEscape.exe

windows10-2004-x64

Phantom Crypter.bat

windows7-x64

8

Phantom Crypter.bat

windows10-2004-x64

8

WannaCrypt0r.exe

windows7-x64

10

WannaCrypt0r.exe

windows10-2004-x64

10

infinite locker.bat

windows7-x64

7

infinite locker.bat

windows10-2004-x64

7

Resubmissions

19-04-2024 11:45

240419-nw88dsag38 10

19-04-2024 11:43

240419-nv23pabf2x 3

19-04-2024 10:25

240419-mf6a5agh7t 10

Analysis

  • max time kernel
    10s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 10:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T10:26:14Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_8-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    NoEscape.exe

  • Size

    666KB

  • MD5

    989ae3d195203b323aa2b3adf04e9833

  • SHA1

    31a45521bc672abcf64e50284ca5d4e6b3687dc8

  • SHA256

    d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

  • SHA512

    e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

  • SSDEEP

    12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoEscape.exe
    "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • System policy modification
    PID:1916
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3941055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

2
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

2
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Desktop\ᨅ౺޿᠅ᔪᵔᒍ᫛ཀ⛬⨙૿ⅶᖧୄᮺ❊᷼ᒡ⹐⣓݆」࿲⛮ᰅⲞₙᾧ⿾⋫ᝬ
    Filesize

    666B

    MD5

    e49f0a8effa6380b4518a8064f6d240b

    SHA1

    ba62ffe370e186b7f980922067ac68613521bd51

    SHA256

    8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

    SHA512

    de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

    Download Submit
  • memory/1916-0-0x0000000000400000-0x00000000005CC000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1916-1-0x0000000000400000-0x00000000005CC000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1916-177-0x0000000000400000-0x00000000005CC000-memory.dmp
    Filesize

    1.8MB

    Download