Resubmissions

08-06-2024 08:50

240608-krvyesae91 10

08-05-2024 16:15

240508-tqnx6ach3w 10

08-05-2024 16:07

240508-tkr3mafa54 10

01-05-2024 18:02

240501-wmf49acg3s 6

27-04-2024 08:46

240427-kpfeysff8s 10

25-04-2024 21:25

240425-z9y55afb7v 10

25-04-2024 21:16

240425-z4pphafa97 10

25-04-2024 18:27

240425-w3929sde33 10

25-04-2024 18:17

240425-ww4a5sdc8x 10

Analysis

  • max time kernel
    33s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 17:55

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T17:57:06Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240226-en/instance_4-dirty.qcow2\"}"

General

  • Target

    NoEscape.exe

  • Size

    666KB

  • MD5

    989ae3d195203b323aa2b3adf04e9833

  • SHA1

    31a45521bc672abcf64e50284ca5d4e6b3687dc8

  • SHA256

    d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

  • SHA512

    e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

  • SSDEEP

    12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoEscape.exe
    "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • System policy modification
    PID:4620
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39fb855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Desktop\޳߼ℙ ⓞᯱ࿙⯙〜⒰༳᪮╚ᰌᶺ⭌ီ⌚ᔶቿᴯ֎ᴬⴁࠓך

    Filesize

    666B

    MD5

    e49f0a8effa6380b4518a8064f6d240b

    SHA1

    ba62ffe370e186b7f980922067ac68613521bd51

    SHA256

    8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

    SHA512

    de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

  • memory/4620-0-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB

  • memory/4620-1-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB

  • memory/4620-177-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB