hxxp://nigger[.]nigga[.]malware[.]hovno[.]cz

Analysis

max time kernel
288s
max time network
290s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
08/06/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://nigger.nigga.malware.hovno.cz

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "250"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623229019506956"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	chrome.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1164	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3692	1296	chrome.exe	77
PID 1296 wrote to memory of 3692	1296	chrome.exe	77
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1532	1296	chrome.exe	78
PID 1296 wrote to memory of 1472	1296	chrome.exe	79
PID 1296 wrote to memory of 1472	1296	chrome.exe	79
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80
PID 1296 wrote to memory of 2112	1296	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://nigger.nigga.malware.hovno.cz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd156bab58,0x7ffd156bab68,0x7ffd156bab78
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2104 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3544 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2828 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4404 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4624 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4972 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4372 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2920 --field-trial-handle=1800,i,2463368813530931919,9653474480893341874,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1420

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
PID:4656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a0f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e036c0892625516504efbcdc42956b21

SHA1
4ff7dac3924f61e72ec96e446ce11fbcd30e10c3

SHA256
5a5b762e86b1db380b1f3da01476c0f73cdc63b06ee25d2de96c576238da72d2

SHA512
5e2ac3c09974dba220cadd4f3551fb508c016fc9ad731c9e6fdcf49483500dd5019271a4fb8cb6d31063737ca4209400ed837cfb12a78dacf1be9d9bd0743a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fc713de6e0d798f60a76d7148e45fcf7

SHA1
38fb9252d89d3cd6eef95391094701ea6db4bfd8

SHA256
b40c40ef95bbdaa74ec44ae2ebffbd584f987ae0f11b8b7ce7137a2a1e14e84b

SHA512
699647d2149874b64247bd4076952f47bc35b5980ddaa2a15c4316765c54b1afb1786db437cb31eb45f1b7a1d5d60959f34d257e226ebae5794579d8a2ec67fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b5e2e9fd438992fbf9ede3dde8c97c77

SHA1
4a8fcd56561e99cc90b5db7e467cf6e1a59645ef

SHA256
2e49f0a25cbec79323da8e0296a72b1bb9c41417b61489c83ed992fd60214adc

SHA512
bc8902c99f3087b36e72c671fc4495ac1ad7826844b88ad5f089b257da47e8a0e7e5e86d84361c48c294a465f58770bf557d9bbad51e8de20003d9afa3cee24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1bee70d0ae0ccbe31ac46429b1144de4

SHA1
5138cf44042541ae6382f3be8ec09337dd7226e4

SHA256
2274d0c75664343d6692d70ff9c9284d1babc7146b28d89609f1e5f63d19ceae

SHA512
f1ae3e4fe3fa0b8efd5972a867aa763fee7fdb546c980408d63b82fc1196d96eb8ce5fb65ea3ba1fe8ddd5c4151909cf47c7ea8618798ee21be708aadd81db7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9479b342a8a21769822f860a72120e9a

SHA1
a2c605628c9613a903b53ebf87412cc1cd47bbfc

SHA256
8da4351a8414cfbffb689e9d523f9cbc215bf97797a4a26780cdcd9bcd39053d

SHA512
3abe10c38d1ee9b724c4a7e5614145d3f5b0c1280f7aa0b4bce694b223065b0497338fa7139bc3b0bd5d4d7980f5c1747703739a76fcb5f951cfe2f891baf83d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9cc1e5c0b18e3a187c77c183a2958372

SHA1
c0cedda938d8b0b4bcec99b6ca4799453b8ba72c

SHA256
854ba07a992e152d96a5a710e0b23e7dda6e1c090efdd898114e842843f3f46c

SHA512
bce51591bae21931a2e8bd1ca845a0819ff8e22eabb966d606efeb6c63bddbb999597e8aa99968340ee4c68f3a5bb1e0220b6c29bcfdc16663e758496db7016e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9015c976aa6741ebe53e0b0792648ef6

SHA1
3b4210dcb68a7e78dbee969c4f229cff85aea1c6

SHA256
5bffe93307b6b667de946c257ad9f6aba1bd59a3c06556237a66094a44841beb

SHA512
9aaa11e0df43df1e2de799797caa7f22d3f5a80dcd80a02f8bfbaf52ae25613eb3b0953c631e3022158635989368ebccd3dedf9d913f62545a7a1a783777b50f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
aed238fb40ec48f683cfbf18fb77b176

SHA1
4ed0f113a6ec4c0a6821b049ffee056e655aafb1

SHA256
bcac7daebc4f9e0732d7bd535c82299c51930d72c07894f1df5fb34c3015c69c

SHA512
d9f377e39dbad60a83f1fa4989711a9ad871bcc1917fad01c56228320f223d6789849500b9012eca645e75d59c5e764adfec4ccd2c0acdb88b81dbec816c8ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cec6fe7ec8965901d0b957ec16a8eeb5

SHA1
df54ccfb61c826a9dfc075ba71244a8d2a2c7d58

SHA256
79a1edaf96b23dd60503f1befc86e7cbadc413117f8e90c01639387a1433c2cc

SHA512
2409c1da8b005b4b69344743e893d7981084055f780806ffe79ece3e110fa4f33e17240c7e279cdb6ece83122569d6a848a66f5f0b12e6e8fbc01771898bb59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b152551777622dcfaa4c380a7c6653c1

SHA1
ceda628080853b3483b4af4f7199713f5c397d68

SHA256
d38d5ba8378fa19fa25015b72651a4350025eb7b306db9a502924689fbbead66

SHA512
4cb9b8aed35f4a6c6f9994ad7a46b188e28c2bd888e992a497e2c28682bf08404819a365a20da8f1482b573491f7b82228f9668c44b712fcda88dc56b2ac7ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
608e8baade050c0cd217b924863ec1c9

SHA1
3173d802e11caeee1e59243209c276f3d175b5c9

SHA256
b2b0b00c0dd65bfc786126ef3c56a6427ca4d49693ff86013f6a5f84f23c8b94

SHA512
c4f47bcc11527d9506a63c63213fd35860408850eb56d04adaeaed45304d281f418ab3c71dceed00c77bf01275e646bc659574e96cc0b569383460536bbe148b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
89e6e53a999293cdad40538558a29739

SHA1
c675ebd43062b5551b7714780bf6a1fcdbc053fb

SHA256
0b77a1306991a049ee790660c3dc735a5b0bb85e7867bcce777c82fb57439ff2

SHA512
34d2ff0ad523455325e9cc1f4dc8c52d7b2fe2e91d3cec4113265a8579fab18a5654064a89366c091ce307e004d95c8c31ecda0be7fd4b372a50e145de9ee067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f1138a03fe783449cddd48522ef8b53b

SHA1
76e5590416d15a45cfcc643437e500813b5075b6

SHA256
27c2aa410d0c01740c9293f9cd885981ef13cfd5f542f1037336a0a544f17971

SHA512
fafb502b368c81c8a6bd740094dc8e8f3f7c29e0e64c661a0056a83f31149b7ea2c91db6c44fc17b38c90275a49b1524f6dd475d3d31de416aa863c1de619846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8ddc292fb971f5185d3610cf9083eee

SHA1
d396cd4f5ad2521859d8f682d0a2995efe96ac5b

SHA256
979361fb29036d26317b169dcb44b387a9e0fa9ea314b869af3ed04361051565

SHA512
be620309cd4af93ab6183dd3ce138432faa27a9c4e3b18a25983b20eb21a02a4c33af2eaf77cf48e2f8616ae4a67e373f4aa147e37494a794e43cb93b05d10df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6027493508ec1c5ccc2b57a54ed1162d

SHA1
7810e60f003fe86030ae21db25311f215a86ca92

SHA256
f1e6d2655a10a0f58b1bb1324b2ce0024567c0e0e64b399c10f909604d9e09cf

SHA512
6edf885cb9a6ec266d435447d369f226e4055f95172004b1c33f50a0fa4816aff49915f8e04b9c89bd2996ba74f7e18c49a04c0927d13b309aa1addde2c45777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57e743.TMP

Filesize
120B

MD5
cea14d695b33e867ec7e107521b6e16d

SHA1
40341b59acfc1ff32fe3d7f779208ed323520f9c

SHA256
e140bc93f1bffeee7775a0977d334ea67b19e17135d326eb6c903cd0406cc218

SHA512
ce2a6cd60c28c3fc8bfaad45c306d1b2ae3e9feae0fe1aa9aebe0bcf1c8285bc7117048963dcc8135c61ffc9e1b750f9d1e4984a2284a78e28103281a8ec915b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
151bcc51490cecbddab4808661575d09

SHA1
36c914cc74fa5ee63ba3069e94733095f879cb3e

SHA256
e6e050fed154383a9a83a3d385311098772491fed23a811823e74e75f1bb1dce

SHA512
7ef76fa5a3d57de29c9c97d2d1acdd560a67b324a3f69b16527faeef3c5463ba9a9201fa9469e1042a8fbbeba04fbc290a1182c79a65e91dcf67e599f3f2746d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
acd230dd553d0fa011ad6eca7519f53e

SHA1
5e0294c27275a32b21029ee49754e16d0d310301

SHA256
6bc133cddf79ab8b66d90a29a8c21345f9a7e0b081140e6b2122c0ee1a806731

SHA512
99986c29da609ddd8d0fa22024fde26007c625c5c98fcecaae4836304588690ee9dfb46a1e29b9662bdc0ea5230c3418112a1c922afac707a9408172fc8da39d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
88KB

MD5
057a0bd13dbe9d08a21ec98fe993ce35

SHA1
975128aa4e26e59b25b06961dc15ef2901e16526

SHA256
457b176a8d65d9771e116828b9a288a6bf5c2f9e991eeb22ce5766dede595347

SHA512
9581317c449f50857caa5606d5f5db68b6643c0b2ff1a549a2487b427cc0f36e049cfd3e71874e30ffe86bc904272180781b07bc9692f6fac92fb050155e7173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58c9f2.TMP

Filesize
83KB

MD5
9eecdfdf178597e2f2a48dec8bd0a999

SHA1
260471393aeac730ce6c79ef51114b028956ed81

SHA256
0ea01b87f38c4ef0c2ac9e53d9050c8f1045f03eec8c5a4b7148807762523039

SHA512
0b7158f6e91306980e0dea0c46460a14869aab46e8b26288c43a02d802efcecb64e78b0040bcdb8dfff0fc3e3ad0dce9516fbc1ffa9b43aaf6d359932f217b71

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Public\Desktop\ഝা⤛⒲ㄉ⨲⇯ᡋዉᕺცᴇઑ⎟௭⦴ᴐᩒᵬ►୒⶙ടۍ⋱ـቹḽ଻⻣ᐔᗞ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/4656-428-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/4656-427-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4656-429-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4656-607-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads