Malware Analysis Report

2024-12-07 10:16

Sample ID 241112-t29c8swhkq
Target NoEscape.exe.zip
SHA256 542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

Threat Level: Known bad

The file NoEscape.exe.zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Loads dropped DLL

Drops desktop.ini file(s)

Checks whether UAC is enabled

Checks installed software on the system

Modifies WinLogon

Sets desktop wallpaper using registry

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:37

Platform

win7-20241010-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"

Network

N/A

Files

memory/2092-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/2092-1-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:34

Platform

win10v2004-20241007-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
File opened for modification C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\AutoColorization = "1" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Mouse C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38c8855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/872-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/872-1-0x00000000005C6000-0x00000000005C7000-memory.dmp

C:\Users\Public\Desktop\ᇲᱵྭႻᆻᩄἤໂ そᖴ᯻⡿ᆅピಝࢤफ़጗␂⡜ΰ

MD5 e49f0a8effa6380b4518a8064f6d240b
SHA1 ba62ffe370e186b7f980922067ac68613521bd51
SHA256 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512 de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

memory/872-178-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:37

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
PID 2664 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{412255D7-8D2F-4752-BD2C-CC273F73EE14} {C41EE643-EA72-4E40-8211-A6813821078E} 2664

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

MD5 4d20a950a3571d11236482754b4a8e76
SHA1 e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256 a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA512 8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:37

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{29AC4AF5-72D9-4A23-8B6D-F98C6AE93375} {394574D8-271A-40F7-90E5-CA47AB229021} 4972

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

MD5 4d20a950a3571d11236482754b4a8e76
SHA1 e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256 a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA512 8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b