hxxps://github[.]com/Sn8ow/NoEscape[.]exe_Virus

Analysis

max time kernel
62s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Sn8ow/NoEscape.exe_Virus

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Loads dropped DLL 1 IoCs

pid	Process
4316	vc_redist.x86.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133688031992071726"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 3868	5044	chrome.exe	84
PID 5044 wrote to memory of 3868	5044	chrome.exe	84
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 1564	5044	chrome.exe	85
PID 5044 wrote to memory of 2952	5044	chrome.exe	86
PID 5044 wrote to memory of 2952	5044	chrome.exe	86
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87
PID 5044 wrote to memory of 3068	5044	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xd8,0xe0,0x100,0xd4,0x104,0x7fff07c3cc40,0x7fff07c3cc4c,0x7fff07c3cc58
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1724,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,1667291585670309045,18226187020208434432,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:4384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3128
- C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
  "C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{045CEAE0-B8FE-463A-81DC-208F0D006D06} {3638D441-3514-4051-8FFF-73D1A3762AD5} 3128
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4316

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e5755b0fd7a28b94d08fcdbea88fe789

SHA1
2a1cabe461bbbe671c6b1117cd69da32335f472c

SHA256
8ffe403dc7d3754590d82ea901ee7ce866d69d5f821f03b6db2afc0b736e5b5b

SHA512
75aabe4fab1f0004f8ea908c2bdaa79f7de6060a1b1575d23e42ddc5a8ac3169f70c487a779e6bd07fb34c4beeeec4cc3cb5a843d361c7f6124cc5447406e461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4945c9da16a5ca3a01b2f0a018f3a461

SHA1
526ffd638d0e1e57d27c03735d61e70baa5bae0b

SHA256
62944d05cf4ea6dff25f914a244c00d097b0ba97d715e32b29339713d6278285

SHA512
9634c9793cd23f2cc4b6ce03ce54f9c46029e1591b12c8249a733ff2e9add4d3a0725968f14eeb46105789b3e3580d32026829a61b4bab04f16cdb1cd2ad6023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1be874f9ec486d1f4a19b5ded180e934

SHA1
b9fe06e5942ef4903bc57fbf6fcb06ebf19c6c2e

SHA256
8ab7aa7582756467800b66caea84e7ffc9d6d044f95e4d86e0fe4d9dca63f666

SHA512
1f2eccb9a7d6fd0bdbf5227b3db19898234de88762026a0c1fa680495bff8e36427d8bce2632917b5f44c27f2dd4abf4ff55bd864dd6d0daf798692d531203d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a589047f891ab49e93adf500c387f42f

SHA1
ee83578d3b0bf99c6e7240d92c01bffb6870da78

SHA256
24caef68f464134b62938ab449842043f92d5e9beb79a23564c69da6f5604765

SHA512
e339b7d0891293af4b9cc4a7c9a00a3cbd4f8e310869709988d6b68201006dadbb3697f0f7e6db54916c21c9d683ead94f4f73fb52e2eb61a49ce2be15a46809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c81b503f60c8171789af51655dbfc71

SHA1
e0c8060b618f04290bd6d77ba500de375bcbcb3d

SHA256
3ea5e1d7e05b1ad4fa30eca70ed38d8d0d940d8c865edbd9fac44e08fc0ceec4

SHA512
03cafa9238b79ce0687001e457b599b144184e50a005471c2fb5bd430bc214cc584a1e463d79a0f73a95215a13ea66f8882c2929a54994cd0ae1e08a64c0c577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1a65f51c0abf213d0b2c94b6b967b13

SHA1
580b17dd0570f68e95da1e4233eed43a9ca49ce9

SHA256
c328f37a2b4f78b15af2b890f5458225c610ad82dd8473060149b5704a638daa

SHA512
2a0b61a5b976b10a5eadfadc763af17770fac0cdd4ded37fae8a7f8005617109fe824ff81a7de5c808f6aba1605da3f91d96d92a22fcbf9325677e8ab7bc3167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42aafe659f2b05f33489504d2a0a0a5a

SHA1
f8da6c08cf44f0bb4883f823b02656332806f45b

SHA256
c35a167a18eca8fb4a576bee04bb2c205fb9b375ed99dc55f6a5bfe89912e57c

SHA512
da6e06c0f70e2bee5d71d05134700e86d008913ca77f798a530d1afb12fdeb5751afc4b7fc9bc11a50beb16dd41f8d86c5d94c6b946dadd8ce4a353d29ee10d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
790f49e14afc8096b3ca72104ab47919

SHA1
ad5f57d2c3b3c24b7aaa2da0bf4cabf85a0760c4

SHA256
ce1bff3ed039b013b9abe93fecffbfc17bde23685abb295a88176cd53ef1035b

SHA512
af4588cd8f1be9bf610254b35f6365f28bde70d3abb474c1a53f4222edf3c425b2f9babf970d8a357e8b5991856486f0541f076db2adcc7107f247340c375128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
be0d40b79c50a8276e520e1ec57ea059

SHA1
7bdf7a84aa3a281275c03f06c16cbd3c590ac257

SHA256
96f3b9e35be1f76daa9e9e509ba13fd97d47db543280b61bc8e566845515f49a

SHA512
5763bcb2cb903cb449a07efe04fbe01aac0db001c24b5a0efaf50f129486d92500e054b22715271244ffedb95ea823788f821d501d15f385d232015cc3fb30a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8dc483281eb1985b53be5be9835b2e80

SHA1
4510dd82e9650ba7f36bb648dbd86d1eaaddd2eb

SHA256
c178886c7e77e2f8e816187b75e97a0f78bedb861798a8ff8fc6c773dccf7d45

SHA512
225543edbdbc983f6c4952ba18445b5eaa1a8727b44cc5aed3e27c7fb538f286acf3c0fea5a58c382003571457b576296868a535a105bad0824cde2fc985a3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ebfafe337b97ff83c45c0292e10f3e06

SHA1
b785e2acaed75d0c6147b66dfbf035dd20cb6306

SHA256
3e6202b8c414016e608c0cc94ec0c5853002085ca96d5bd50ca34623fae25f98

SHA512
fb998213951f4b31103fe083ef956dd3a8af7d0ef6823248d879a67fc47a28aa4000e80cfbf7c124628696ee7f47f7be10f73ec8f7d2fbee7d7e953d7425e35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\ᶟ݃⁋ᣃᢹⶾዹ∼ᦽ⡱᭹ᮩ⹾ℎඹᙑ३

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/4520-320-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4520-497-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads