Resubmissions
17-06-2024 00:02
240617-abg2hsvcla 3Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
NoEscape.exe_virus
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NoEscape.exe_virus
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
NoEscape.exe_virus
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral4
Sample
NoEscape.exe_virus
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral5
Sample
NoEscape.exe_virus
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
NoEscape.exe_virus
Resource
debian9-mipsel-20240611-en
General
-
Target
NoEscape.exe_virus
-
Size
244KB
-
MD5
0b67f378bf8358c12fad9c5471a8bf9a
-
SHA1
5f8773fc6faef105e208ce11baa8297100e3e2e3
-
SHA256
fc11e199fadb1d657286dde635ea90be39a415442dc82b3be1e8ab77f1f8e95c
-
SHA512
7790996661c14141afcd71a36942295e6bbf957af33ad2fc26a1d0d78403754e6302539b295c96cb9a0ebf75970179fb1802f0d5214eb6728f783b1d57c43282
-
SSDEEP
6144:ERoBJ2n9dH5M2vkm0aFRv3pId9RJ97vZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViB:koBJ2n9dH5M2vkm0aFRv3pId9RJ97vZd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2552 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1712 wrote to memory of 2552 1712 cmd.exe rundll32.exe PID 1712 wrote to memory of 2552 1712 cmd.exe rundll32.exe PID 1712 wrote to memory of 2552 1712 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2552