Resubmissions

06/01/2025, 23:06

250106-23f23stqgn 10

31/03/2023, 20:16

230331-y2e7lsdb38 10

31/03/2023, 20:11

230331-yyjqmada99 1

Analysis

  • max time kernel
    22s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2025, 23:06

Errors

Reason
Machine shutdown

General

  • Target

    NoEscape.zip

  • Size

    616KB

  • MD5

    ef4fdf65fc90bfda8d1d2ae6d20aff60

  • SHA1

    9431227836440c78f12bfb2cb3247d59f4d4640b

  • SHA256

    47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

  • SHA512

    6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

  • SSDEEP

    12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 5 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NoEscape.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5032
  • C:\Users\Admin\Desktop\NoEscape.exe
    "C:\Users\Admin\Desktop\NoEscape.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • System policy modification
    PID:2152
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3921855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\NoEscape.exe

          Filesize

          666KB

          MD5

          989ae3d195203b323aa2b3adf04e9833

          SHA1

          31a45521bc672abcf64e50284ca5d4e6b3687dc8

          SHA256

          d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

          SHA512

          e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

        • C:\Users\Public\Desktop\࠙ዀ᧋⨝Ⱶኅẵংۦॢሥ⎆∘߯ഒ೚⿾もᬂ⅂ݝგ᰼⼺ྫྷ

          Filesize

          666B

          MD5

          e49f0a8effa6380b4518a8064f6d240b

          SHA1

          ba62ffe370e186b7f980922067ac68613521bd51

          SHA256

          8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

          SHA512

          de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

        • memory/2152-3-0x0000000000400000-0x00000000005CC000-memory.dmp

          Filesize

          1.8MB

        • memory/2152-5-0x00000000005C6000-0x00000000005C7000-memory.dmp

          Filesize

          4KB

        • memory/2152-182-0x0000000000400000-0x00000000005CC000-memory.dmp

          Filesize

          1.8MB