Malware Analysis Report

2024-11-13 13:22

Sample ID 240617-abg2hsvcla
Target NoEscape.exe_Virus
SHA256 fc11e199fadb1d657286dde635ea90be39a415442dc82b3be1e8ab77f1f8e95c
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

fc11e199fadb1d657286dde635ea90be39a415442dc82b3be1e8ab77f1f8e95c

Threat Level: Likely benign

The file NoEscape.exe_Virus was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:02

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:02

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/NoEscape.exe_virus]

Signatures

N/A

Processes

/tmp/NoEscape.exe_virus

[/tmp/NoEscape.exe_virus]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:02

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:02

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:02

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:05

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:02

Reported

2024-06-17 00:05

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A