hxxps://go[.]enderman[.]ch/noescape

Analysis

max time kernel
46s
max time network
52s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
28-06-2024 19:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://go.enderman.ch/noescape

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640781895596057"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 812	3652	chrome.exe	71
PID 3652 wrote to memory of 812	3652	chrome.exe	71
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 2236	3652	chrome.exe	73
PID 3652 wrote to memory of 1896	3652	chrome.exe	74
PID 3652 wrote to memory of 1896	3652	chrome.exe	74
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75
PID 3652 wrote to memory of 2136	3652	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://go.enderman.ch/noescape
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff853bf9758,0x7ff853bf9768,0x7ff853bf9778
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 --field-trial-handle=1848,i,1532243686231481926,14776780189113073656,131072 /prefetch:8
  2⤵
  PID:1020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:4924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
666b662a5c7a0fcee81d3b0fb4bb667d

SHA1
ea6dba3c816e27352b941a58a6869ee5d4881c5e

SHA256
f44b149587ce8f0e5f92556b3fea2a856264d328d6c2f5b5242973ae28094654

SHA512
9a0493bd0f77c979c15c595cb6bda5e7f3985a768552e968aa8b5268236119ad7e7a375f1440bf46642f877e5db48fa20b099bffb3434cb5d07b516925b8be54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a512b3688fa1e58dd34a92d81865c059

SHA1
a9af59eabb3a8a4e61590bd160ee852f94a81755

SHA256
2cd3c72ccf32c0122739a21a5ce1c70fa147a1fd13308d70e324cff44184f493

SHA512
70680b755ba7f8e4134865af89f182bb5772a7400d7363ec7c3bf6dd6becdeb06968aa5b3a3980fcc77971d9ac9807287a31e8ea91682dfbcb76a981c39eb63e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
be2b5573af5b571bf8db29bb5eb798ef

SHA1
1209da376be3421fcb676fac4ae9b1f2b0a1b03c

SHA256
034bb12cd2cfd387a1096c80fdcbc5689127a11a46e552ef0b9fb3b94737c00b

SHA512
ea86e2df0f37ee110976b0fd1e739a6ddb0ac9317b10853bedbe20139e8a3b63232b899c8b8c10c0f7ccf0dd124acc9b74c3f8870bb572b136f852d10833c445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
2e845a0bc963442ac225f1951216c094

SHA1
d56a98206e6b5732413d6b9181582bf7b7794ae1

SHA256
d22a6756a582b733edf5451c2559717a9aaa197855a08c05f59f6a3649b21f0e

SHA512
52f285b85f73560f47f48048aff10348a59e890cbb75a209e32766be41e9d59f517df5d44d904b8f5ebe6366d63c059d6ab062b4fe32a952ebc0c1c31c0d5ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
ff60a20b27bc528f9d52270244024f00

SHA1
85ff5a10b67b21dfa22348e85dfcc15e7f0d09cc

SHA256
23dedd64fcade5624ae66f7ab94b77b2a5a2412138948ccd4a896de0e61d3e1d

SHA512
12bba639a825c551557b346e679fcbe5a41fe695998c1cc3f412d5e0d7b8d13fe4bf11016b50ee031194a7f49b6be752c0b249e842ac2482e487a4a088a67987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
b0f764f75a120366272b24ef821b1da8

SHA1
235a1039bdc8b23ab116547591fc539809604873

SHA256
83c9f3d6aae295eb6b79038524d02d44f177e9187a1fd8a4fb35b09810bed01f

SHA512
1a136eac15fb4b8479e427f732e765cf60db785c2b06203b57c6e83cf621df263bdbb3b270ef294386d5788d86ad38c2801754b9220fe6fd132db93eeb6e99f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip.crdownload

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\ᨙ⤐┺ᶰお୹⳰ໝᩦ∩Ჩ⻶‱጗׏ፊ៭౻

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/4924-67-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/4924-66-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4924-244-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads