Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
02-01-2025 22:36
General
-
Target
https://github.com/LocalAlloc/NO-ESCAPE
Score
10/10
Malware Config
Extracted
Family
modiloader
C2
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader First Stage 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/LocalAlloc/NO-ESCAPE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5188,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=2604,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5724,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations=is-enterprise-managed=no --field-trial-handle=5752,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --instant-process --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6188,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5612,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=5284,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6932,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=7112,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=7260,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=6936,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations=is-enterprise-managed=no --field-trial-handle=5880,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations=is-enterprise-managed=no --field-trial-handle=5808,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=6356,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=7456,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=7464 /prefetch:81⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BonziKill.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=6344,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=7412 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=7536,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=7660,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:81⤵
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4b41⤵
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --instant-process --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=6628,i,17335467816477789966,7023972131130623520,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:11⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
440KB