hxxps://github[.]com/Sn8ow/NoEscape[.]exe_Virus

Analysis

max time kernel
45s
max time network
46s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Sn8ow/NoEscape.exe_Virus

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591279855912648"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3288	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 5028	4912	chrome.exe	72
PID 4912 wrote to memory of 5028	4912	chrome.exe	72
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4532	4912	chrome.exe	74
PID 4912 wrote to memory of 4324	4912	chrome.exe	75
PID 4912 wrote to memory of 4324	4912	chrome.exe	75
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76
PID 4912 wrote to memory of 1456	4912	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8b599758,0x7ffa8b599768,0x7ffa8b599778
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1816,i,1514051182389864255,588686213588006548,131072 /prefetch:8
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:5096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
43c78687e84af9c3326b3d9781775f4b

SHA1
afa5005edbdabee7e420f53d70a462eebb7393c8

SHA256
b76772719218581fe9cfa0bf03f8e3101af6f1a696a70a969674406136a9dbd2

SHA512
589186beef48238a18b4f434ef402de3a468f797a954bd56189f47f27ec01227d1eb64fca5486f1ee062fdbc90a12fb9bc8d21dc3831f56bb65546452bf6c407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
52557a8db7b294b74f9f51d60be2a1bc

SHA1
aeb6d173dbd1e5d16a52b4f4ba55d7382fd88983

SHA256
d22102db82a83c47b94f9ac76c259b0f058ca87bfe87bc998a7e80be85154412

SHA512
409482cafa68b850a75ac7586f9fc3ee01f18f08a6e7869ad5aca0d70855562f1ab560db753f84ab8d92c5c8c0d845389c101ddbb92b7b99646971f90fae47cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
51d3f02450bd55a76dcee88daedbe864

SHA1
02b88c80bf3de10992e755275ba23ebebbec90d4

SHA256
cbce1c801abbb4d551da847025e1dc686c8d22a7d5cfe9fb8fbe147111afa904

SHA512
ec9e83cb28395e8322f1c7b4b7912a27541402b5fbc72ff3f25db719a6157fcfb581857c1cf94ae2ddd256c7ac16ac9b097574dd3c818a6858e7f5b5a3bbf5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
efdee7fe1c03dbe958d533d77787ca1e

SHA1
9213d2964f0ec73d9c83a9d35adb9ae3c8f6e05f

SHA256
f24b4b57d0c54d3f8a09172b7e923876c95a1e9e6db5f9b91c84b6f7949701d6

SHA512
328bdef011a1ed8dee27b5065313d61fed38e8fe88c0d612082974274968eb3524b6f7de2cada2ccb9385fe5ff2d18a303b742ad5e4b037d16c0450a9592f8c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
47d43bcadc2cff48c44cc267dd3437ae

SHA1
5453c8a64111d9afb6072b70e05b9320c6ea59f1

SHA256
a4d7be125eb110d23ca64e5d44349c607cde8d1d354d126f1f5cf4877252bc16

SHA512
964ba0a21461f56429e0baff07d76377e68b7f09aeae71b61a947a961c90d898b6cf693f449a07fa3b175556e8e2b919abe9d34da6a11cf46bc8e3e41263ac64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
876c6ce194984ebcd8b996ab271c9b2e

SHA1
311adcfa950deb9940755ea5be1af36c254f8eb8

SHA256
deedd5517d4dcb4102c9113947dc941395de0fce4b6e1453997f2f21c7aae86f

SHA512
9c0ee6e8fe035406bc741d052d0691d4e93e8814cc8520d9d894a66ce905008b13bf972cfefa20aba7d9c2ea934b07773ce5d0d5e688aafd4cff8bb0a3569f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0e898dc146577edf817644232edeed11

SHA1
69ba9ae592bb6a4859327dc064e4472e42cf0b1a

SHA256
9ad0a324e7028536ef1e98402aa56a3d055b950f139d059ca92b2713c50cfa4d

SHA512
4b7455eb380bfec8f1cf729674c6269bffd65bfab58f000e1be76671907bfcfbff1a0651c131c8f009ed4daca0885154001a345e1412bc7ff08ec402e4e9cec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
baa59a8bc6ded824d397400f067c0981

SHA1
2bd75e3cc01482030efb0aaa35ac3262cc7cc5fc

SHA256
5a7d3b2af2e9fe40b7e7f0ac7740fb45ad751670f73be7b873cb915afbf23018

SHA512
80dec01ad5f89661f8c954d8f4967d1ff9195d90cb4444f883ec9a65caa8114c62e349b81a44b53689f23f5f58c9c224dd615b4c851311fe706b5f627bcc8c3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
ac71323e97b4f747d4729d76308bb326

SHA1
c9be70014e0fdccd7c062b518cad5da3ab622ff0

SHA256
3f59b5e0665f994242e053f02c659b832cc95e86095a78c0aef7b54167a13956

SHA512
5b5c02b5d2f75e98d0e23ffd2f99c02468142489621e1ef6478dc669001ccd358eae2e77c786315817049ae0f4a3c7b26f97c6b064c19390fed2019f4f27ae88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59b29d.TMP

Filesize
98KB

MD5
9d3da1ed92bee4816774ab636adcece2

SHA1
27532f81452b6fffbfc507b89953f81deebb58c7

SHA256
7ef54336739e30e1aa3aba63e3145ba46c5bdb2c42cae4150398885bf6994181

SHA512
1ffd131c947976105984088341b43af15c571833b24852d3e32e10e3b4577cf1416f83f496cf680c333e72adf3bb4d28c00c293aea5df2187a059786c42daa9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\≛❅ⅡᏙ⿛᭯Ẍབᛯ↷թ⒢ྃ໰ₗ⓽ࢇ᥋⟞

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/5096-208-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/5096-207-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/5096-384-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads