Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/07/2024, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
AIO [EXTRACT]/noclip.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
AIO [EXTRACT]/noclip.dll
Resource
win11-20240709-en
Behavioral task
behavioral3
Sample
AIO [EXTRACT]/noclip.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
AIO [EXTRACT]/noclip.exe
Resource
win11-20240709-en
General
-
Target
AIO [EXTRACT]/noclip.exe
-
Size
556KB
-
MD5
e84e4da0f16e40521247870311efd7ac
-
SHA1
30683171aae1e7dd7288e3b1ad7ef1fbde632365
-
SHA256
fa4da01ef3e3d6eca87a36ba135e9b2084461a68e975895bc57050f6ab472def
-
SHA512
0b763636a40bf7bb09521859db1b78ea205bc17a6fe685851a1dce8d3f64a101267c56f706742a7c2dab0e61709924126793853ffa3f84bb706145e6817dbb2b
-
SSDEEP
12288:VRSNhZBlfA8/C8sSoC+PZE9O2bJIC0fDNNr:VsfA8K8J+O93l0fZF
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\AIO [EXTRACT]\\NalDrv.sys" o1NFL.exe -
Executes dropped EXE 1 IoCs
pid Process 3216 o1NFL.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\o1NFL.sys noclip.exe File created C:\Windows\SoftwareDistribution\Download\o1NFL.exe noclip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe 2376 noclip.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3216 o1NFL.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 3216 o1NFL.exe Token: SeDebugPrivilege 3216 o1NFL.exe Token: SeLoadDriverPrivilege 3216 o1NFL.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3216 2376 noclip.exe 83 PID 2376 wrote to memory of 3216 2376 noclip.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SoftwareDistribution\Download\o1NFL.exe"C:\Windows\SoftwareDistribution\Download\o1NFL.exe" -map C:\Windows\SoftwareDistribution\Download\o1NFL.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5083c6c05ac5875d0b6e997e894ca07bc
SHA169d0116998e8a70db5852fccb86d45975ce88a9a
SHA25603aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca
SHA512fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf