Overview

overview

10

Static

static

3

No Escape.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    No Escape.exe

  • Size

    771KB

  • Sample

    240426-vbypgsfh62

  • MD5

    2782877418b44509fd306fd9afe43e39

  • SHA1

    b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

  • SHA256

    56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

  • SHA512

    8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

  • SSDEEP

    24576:OeTrmlZGPL7NV9+VitFsQUxY8BGOdQSqZ:hT6KDrmIFsBJBG4XqZ

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      No Escape.exe

    • Size

      771KB

    • MD5

      2782877418b44509fd306fd9afe43e39

    • SHA1

      b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

    • SHA256

      56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

    • SHA512

      8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

    • SSDEEP

      24576:OeTrmlZGPL7NV9+VitFsQUxY8BGOdQSqZ:hT6KDrmIFsBJBG4XqZ

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

4
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks