7b55dfab141eb69abbe47267e396fe8ee6bc4054fc8d4a5d91049b950c7d84aa

Analysis

max time kernel
94s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.exe-Download-main/NoEscape.exe/vc_redist.x86.exe
Size

13.1MB
MD5

1a15e6606bac9647e7ad3caa543377cf
SHA1

bfb74e498c44d3a103ca3aa2831763fb417134d1
SHA256

fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
SHA512

e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd
SSDEEP

393216:S1RPq5dCsKSR65cX7Eyd/qnejOFxP7OEnl4L/Vvc:yP5iw56oyleej2OEnlwc

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3488	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	vc_redist.x86.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	vc_redist.x86.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3488	vc_redist.x86.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3488	3900	vc_redist.x86.exe	84
PID 3900 wrote to memory of 3488	3900	vc_redist.x86.exe	84
PID 3900 wrote to memory of 3488	3900	vc_redist.x86.exe	84

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe" -burn.unelevated BurnPipe.{5C982918-0B75-4C90-B78C-C6423B709715} {A66C3EF5-C6AA-4E67-B407-06A5D03145FB} 3900
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit