Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3AIO [EXTRA...ip.dll
windows7-x64
3AIO [EXTRA...ip.dll
windows10-2004-x64
1AIO [EXTRA...ip.exe
windows7-x64
8AIO [EXTRA...ip.exe
windows10-2004-x64
8Script (3....n).lnk
windows7-x64
3Script (3....n).lnk
windows10-2004-x64
3Script (3....gscbin
windows7-x64
3Script (3....gscbin
windows10-2004-x64
3To game fo...re.exe
windows7-x64
1To game fo...re.exe
windows10-2004-x64
1To game fo...ta.bin
windows7-x64
3To game fo...ta.bin
windows10-2004-x64
3To game fo...50.vdf
windows7-x64
3To game fo...50.vdf
windows10-2004-x64
3Analysis
-
max time kernel
151s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
AIO [EXTRACT]/noclip.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
AIO [EXTRACT]/noclip.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AIO [EXTRACT]/noclip.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
AIO [EXTRACT]/noclip.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Script (3.2a)/Shortcut (scripts location).lnk
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Script (3.2a)/Shortcut (scripts location).lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Script (3.2a)/scripts/script.gscbin
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Script (3.2a)/scripts/script.gscbin
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
To game folder/ModernWarfare.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
To game folder/ModernWarfare.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
To game folder/bootstrap.data.bin
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
To game folder/bootstrap.data.bin
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
To game folder/installscript_2000950.vdf
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
To game folder/installscript_2000950.vdf
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
AIO [EXTRACT]/noclip.exe
-
Size
556KB
-
MD5
e84e4da0f16e40521247870311efd7ac
-
SHA1
30683171aae1e7dd7288e3b1ad7ef1fbde632365
-
SHA256
fa4da01ef3e3d6eca87a36ba135e9b2084461a68e975895bc57050f6ab472def
-
SHA512
0b763636a40bf7bb09521859db1b78ea205bc17a6fe685851a1dce8d3f64a101267c56f706742a7c2dab0e61709924126793853ffa3f84bb706145e6817dbb2b
-
SSDEEP
12288:VRSNhZBlfA8/C8sSoC+PZE9O2bJIC0fDNNr:VsfA8K8J+O93l0fZF
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\AIO [EXTRACT]\\NalDrv.sys" qA7dO.exe -
Executes dropped EXE 1 IoCs
pid Process 2348 qA7dO.exe -
Loads dropped DLL 1 IoCs
pid Process 3052 noclip.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\qA7dO.sys noclip.exe File created C:\Windows\SoftwareDistribution\Download\qA7dO.exe noclip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe 3052 noclip.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2348 qA7dO.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 2348 qA7dO.exe Token: SeDebugPrivilege 2348 qA7dO.exe Token: SeLoadDriverPrivilege 2348 qA7dO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2348 3052 noclip.exe 30 PID 3052 wrote to memory of 2348 3052 noclip.exe 30 PID 3052 wrote to memory of 2348 3052 noclip.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SoftwareDistribution\Download\qA7dO.exe"C:\Windows\SoftwareDistribution\Download\qA7dO.exe" -map C:\Windows\SoftwareDistribution\Download\qA7dO.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5083c6c05ac5875d0b6e997e894ca07bc
SHA169d0116998e8a70db5852fccb86d45975ce88a9a
SHA25603aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca
SHA512fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf