47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

Analysis

max time kernel
46s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.zip
Size

616KB
MD5

ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA1

9431227836440c78f12bfb2cb3247d59f4d4640b
SHA256

47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA512

6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
SSDEEP

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649176191457983"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4860	3216	chrome.exe	88
PID 3216 wrote to memory of 4860	3216	chrome.exe	88
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 2612	3216	chrome.exe	89
PID 3216 wrote to memory of 3160	3216	chrome.exe	90
PID 3216 wrote to memory of 3160	3216	chrome.exe	90
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91
PID 3216 wrote to memory of 2500	3216	chrome.exe	91

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
1⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe92e5ab58,0x7ffe92e5ab68,0x7ffe92e5ab78
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:2
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4012 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1964,i,168470178702747078,16907139924207487722,131072 /prefetch:8
  2⤵
  PID:4012

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d31fc956412e4282abb4108a6167d79

SHA1
b4b5051704f61d0c82e5bbe53b0d2cf2a819e1f4

SHA256
d596012fdfdf6c7be23375509b887bd71e1d9486f34d6e9120ab05941f979979

SHA512
20c1f7c0394919b49b1e3dc0e1d621ff4a120db4de31b549a4c6b1c7f0537821d0810ca57bde922683031b2b833105914bd0fe53f88f25694e6fc4523e223d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ef88b58ff32feec2d7f322dff96b18e8

SHA1
739deb54617f4c5505ebd12cabf25212e6a18344

SHA256
c91948231064b544e9031ca0eed7c6f027953eacb4d446de317439b04f9f08cf

SHA512
a0139eab7d46e73089a1476d31736f9b55b69dab4ef4d9b7a8910b520fa88ee41f182386fe654eaf6e9a7802f0608e5f984070203a3cc4f12cbce94fac353697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
38e29d4985e63916373c0bfff605ce8a

SHA1
5a6a4c004e0b3861a415ff84447da0b48c246833

SHA256
71af300f2ebf8f87f772a48b7b6bb3ef5977679dccce2d2cafe586b0e05b425b

SHA512
a0a92362cdaeff5d743e4d0924a27b29dc1806aa0800eab14dea609d9d0cf895add61af1ee9b7dd59957538f5dea14ae93a594c37a963fab5d628f4d98771240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
47ed00cc1e6cf54c56fd5ee3ff937933

SHA1
b50db6d839b16debff3ac17fac5ac1072b26ec54

SHA256
ba516d24fcd1b9f96d5df17de633fe296eea6d0cbe6c54bb20cbcfc948862a14

SHA512
80504d0186d9b0e1ec6093af93f1ce57424df2b5c8076c93f76d5d8d95a2d8ebe9a698b6ded6da02344f18dec58808d27ef54c0ffb62d103a177de0c76d2876d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
8682909a5bece8ba8f71232468d181ef

SHA1
f5fefe3a5311588f8709af663f03889a4f5cc9dc

SHA256
5d2d13fd3d5b8f9c5b2ee8ab4f882d0f6dc142e536d88969aee4e29e8b28f39a

SHA512
0fc1ceed58482665205a6347f277b620b4dcba56af940e0614e4aa10a3456484e899f7d2360da65fc495113ebb17528981b33931c9fcecf76b533c4ec2ed8efc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
8524695bdfc6940b7035344aa677a5a2

SHA1
c09cf377c34e1239970d25501efe61764716232b

SHA256
b579cba762fd5a4206a04e4e1de7ae5665aba7300c7ad478aca904158c1a789e

SHA512
0dedaf0e6db0a418212ce25e0b2b978b0715a5f0b497fda00ec0a9c1c91dc0c9f240408388cfbb12ba67c40534dcb97b5e18a1884d3bc5c2deecb2adc584601b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit