Malware Analysis Report

2025-01-17 22:40

Sample ID 240603-pxxfnaeg7v
Target ESCAPE_setup_vers_2_20221205.exe
SHA256 41863fdb2824679e37f36644272f715f30ec2466758525fd9db06fce3461547e
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

41863fdb2824679e37f36644272f715f30ec2466758525fd9db06fce3461547e

Threat Level: Shows suspicious behavior

The file ESCAPE_setup_vers_2_20221205.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:43

Reported

2024-06-03 12:46

Platform

win7-20240220-en

Max time kernel

201s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3UV3S.tmp\ESCAPE_setup_vers_2_20221205.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3UV3S.tmp\ESCAPE_setup_vers_2_20221205.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe

"C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

C:\Users\Admin\AppData\Local\Temp\is-3UV3S.tmp\ESCAPE_setup_vers_2_20221205.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3UV3S.tmp\ESCAPE_setup_vers_2_20221205.tmp" /SL5="$4010A,5450233,780800,C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

Network

N/A

Files

memory/1508-0-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1508-2-0x0000000000401000-0x00000000004B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3UV3S.tmp\ESCAPE_setup_vers_2_20221205.tmp

MD5 c29b46ff9458d87b9c01e59818f5e8d8
SHA1 a3a9dd67c1e8defdbb99b849c1f5e6eb2236375a
SHA256 ef487df1131bbdccae79d90c928c57f6ec7de4b99b03f4a473ff692dc95e8f24
SHA512 69a130f8ec6dc810d90dac762eb2f255cd6f94894cd5f45a897b5d172737d20db481d23560d56d14644f5cab6fd4f1b36b20e82ad145c7d5eb5f8ed50409b5a6

memory/2744-8-0x0000000000400000-0x0000000000682000-memory.dmp

memory/1508-10-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2744-11-0x0000000000400000-0x0000000000682000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:43

Reported

2024-06-03 12:45

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe

"C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

C:\Users\Admin\AppData\Local\Temp\is-PGTTN.tmp\ESCAPE_setup_vers_2_20221205.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PGTTN.tmp\ESCAPE_setup_vers_2_20221205.tmp" /SL5="$7006C,5450233,780800,C:\Users\Admin\AppData\Local\Temp\ESCAPE_setup_vers_2_20221205.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3008-0-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3008-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PGTTN.tmp\ESCAPE_setup_vers_2_20221205.tmp

MD5 c29b46ff9458d87b9c01e59818f5e8d8
SHA1 a3a9dd67c1e8defdbb99b849c1f5e6eb2236375a
SHA256 ef487df1131bbdccae79d90c928c57f6ec7de4b99b03f4a473ff692dc95e8f24
SHA512 69a130f8ec6dc810d90dac762eb2f255cd6f94894cd5f45a897b5d172737d20db481d23560d56d14644f5cab6fd4f1b36b20e82ad145c7d5eb5f8ed50409b5a6

memory/3616-6-0x0000000000400000-0x0000000000682000-memory.dmp

memory/3008-8-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3616-9-0x0000000000400000-0x0000000000682000-memory.dmp