URL:

https://github.com/bill-zhanxg/NoEscape.exe-Download/tree/main/NoEscape.exe

Full analysis: https://app.any.run/tasks/5ba4f1a7-b252-4b78-bb7b-7af505c59220
Verdict: Malicious activity
Analysis date: February 11, 2022, 21:00:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E91F3FA192567EF5B7FB88847994A248

SHA1:

02B1D9F82766A1641880060F8C1DB94C9E94C6D9

SHA256:

DDAE4987DFC8FA45F03A363B64D3662A5DC9D71DCC70117A85A6BAB9CEE88525

SSDEEP:

3:N8tEd3IxLvrKgX2FEE8GQRKe+J:2uCNXX2zTQRK/J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 576)
      • NoEscape.exe (PID: 1932)
      • NoEscape.exe (PID: 2996)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3480)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 2868)
    • Checks supported languages

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 576)
      • NoEscape.exe (PID: 2996)
      • NoEscape.exe (PID: 1932)
    • Reads the computer name

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 2996)
    • Application launched itself

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 2996)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
      • explorer.exe (PID: 2472)
    • Reads the computer name

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
      • explorer.exe (PID: 2472)
    • Application launched itself

      • iexplore.exe (PID: 2868)
    • Changes internet zones settings

      • iexplore.exe (PID: 2868)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
    • Creates files in the user directory

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 2868)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3480)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2868)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2868)
    • Manual execution by user

      • explorer.exe (PID: 2472)
      • NoEscape.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
576"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
992"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exeiexplore.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
1932"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
2472"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2868"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/bill-zhanxg/NoEscape.exe-Download/tree/main/NoEscape.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2996"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exeExplorer.EXE
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2868 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
18
Text files
29
Unknown types
11

Dropped files

PID
Process
Filename
Type
2868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:0A6F5136E421C463308746D00E2908E0
SHA256:6B73EAA3350D56553DE3836CD3F56310A1FE1FD2599CC43C35CBEEAC6027B898
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NoEscape[1].htmhtml
MD5:FD1390D94C9B6B215A23955A3099F0DF
SHA256:3EFD306A8B501091AD36ACAEAF293EE78416DC8DE4B6AB8B8F44B3E469622584
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1binary
MD5:1531A9DB8B2DEA97A76C171BE39F5450
SHA256:09DF481741F09C7E60BCCB8A53BBDE1405BFA6624329E48DF3E69470397F17FF
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3binary
MD5:E2579848AE483CBD25D5E8004107566B
SHA256:EB8148CC107B7279343862816311C2070907549F0F53679F41786E203395F472
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3der
MD5:6C1B47126E664855DABB1040CC677533
SHA256:3DC98B52DF54FEAE79B724711DC9F3CDEE16103C91B55CDA08AD3C27E80939B9
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\dark-52b02edb7f9eca7716bda405c2c2db81[1].csstext
MD5:ED4527214FBB5DE2B5CEE044E34554C0
SHA256:5C0ADFAA4D1F3F2A222894B111A5A2AD2E85191C94EAC6BAE1316D43A90B28C3
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\tab-size-fix-b275b4161e5525c5861796d4f6ed56e9[1].csstext
MD5:7C31E3ADAD638BC1CE5DADBE496B6EE0
SHA256:F2C15E9BF743F53F2872A61BDBE820F2BD8F5971D85A6D3848E3B909A6CFEA7A
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\light-764b98156fab6bcc984addf8d9ee6924[1].csstext
MD5:5AEA45CDC1C70BB203DF458BAECB4F45
SHA256:6F2CDD415F1D8FE4F9ED028A39CD920D5B86B7C9CEBB6AE76B70874179712348
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:6CF039E28C987CBED7BDC7A93E1B3EB1
SHA256:4705F51100325180AE6493D4F46C52DE6F040FBEE7EA95E3DFCB8C1C78C21D65
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:0D03EADD612C920A201A71C57C1F0032
SHA256:FF93B51BD0872471621F45992DF6D39ADCBF563AF4DEA46BA8C58744C1DE8969
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2868
iexplore.exe
GET
200
8.241.9.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a55319b5e67b1851
US
compressed
4.70 Kb
whitelisted
2868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2868
iexplore.exe
GET
200
8.241.9.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a254c5d343e8325
US
compressed
4.70 Kb
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAZnA1u7FP1jr8DWqFNO%2FhY%3D
US
der
471 b
whitelisted
2868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTGMlruL6P9M9B3if1rTM7wyj%2FQKQQUUGGmoNI1xBEqII0fD6xC8M0pz0sCEA6L83cNktGW8Lth%2BTxBZr4%3D
US
der
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2868
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3480
iexplore.exe
140.82.121.4:443
github.com
US
malicious
2868
iexplore.exe
8.241.9.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2868
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3480
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3480
iexplore.exe
185.199.108.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
2868
iexplore.exe
185.199.108.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
3480
iexplore.exe
185.199.110.133:443
avatars.githubusercontent.com
GitHub, Inc.
NL
malicious
2868
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3480
iexplore.exe
185.199.108.133:443
avatars.githubusercontent.com
GitHub, Inc.
NL
malicious

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.4
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 8.241.9.254
  • 8.248.145.254
  • 67.27.157.126
  • 8.248.135.254
  • 8.248.149.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
github.githubassets.com
  • 185.199.108.154
  • 185.199.109.154
  • 185.199.110.154
  • 185.199.111.154
whitelisted
avatars.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.217.79.124
  • 52.217.37.100
shared
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info