Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3AIO [EXTRA...ip.dll
windows7-x64
3AIO [EXTRA...ip.dll
windows10-2004-x64
1AIO [EXTRA...ip.exe
windows7-x64
8AIO [EXTRA...ip.exe
windows10-2004-x64
8Script (3....n).lnk
windows7-x64
3Script (3....n).lnk
windows10-2004-x64
3Script (3....gscbin
windows7-x64
3Script (3....gscbin
windows10-2004-x64
3To game fo...re.exe
windows7-x64
1To game fo...re.exe
windows10-2004-x64
1To game fo...ta.bin
windows7-x64
3To game fo...ta.bin
windows10-2004-x64
3To game fo...50.vdf
windows7-x64
3To game fo...50.vdf
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
AIO [EXTRACT]/noclip.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
AIO [EXTRACT]/noclip.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AIO [EXTRACT]/noclip.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
AIO [EXTRACT]/noclip.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Script (3.2a)/Shortcut (scripts location).lnk
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Script (3.2a)/Shortcut (scripts location).lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Script (3.2a)/scripts/script.gscbin
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Script (3.2a)/scripts/script.gscbin
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
To game folder/ModernWarfare.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
To game folder/ModernWarfare.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
To game folder/bootstrap.data.bin
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
To game folder/bootstrap.data.bin
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
To game folder/installscript_2000950.vdf
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
To game folder/installscript_2000950.vdf
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
AIO [EXTRACT]/noclip.exe
-
Size
556KB
-
MD5
e84e4da0f16e40521247870311efd7ac
-
SHA1
30683171aae1e7dd7288e3b1ad7ef1fbde632365
-
SHA256
fa4da01ef3e3d6eca87a36ba135e9b2084461a68e975895bc57050f6ab472def
-
SHA512
0b763636a40bf7bb09521859db1b78ea205bc17a6fe685851a1dce8d3f64a101267c56f706742a7c2dab0e61709924126793853ffa3f84bb706145e6817dbb2b
-
SSDEEP
12288:VRSNhZBlfA8/C8sSoC+PZE9O2bJIC0fDNNr:VsfA8K8J+O93l0fZF
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\AIO [EXTRACT]\\NalDrv.sys" ghph6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation noclip.exe -
Executes dropped EXE 1 IoCs
pid Process 4420 ghph6.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\ghph6.sys noclip.exe File created C:\Windows\SoftwareDistribution\Download\ghph6.exe noclip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe 748 noclip.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4420 ghph6.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 4420 ghph6.exe Token: SeDebugPrivilege 4420 ghph6.exe Token: SeLoadDriverPrivilege 4420 ghph6.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 748 wrote to memory of 4420 748 noclip.exe 86 PID 748 wrote to memory of 4420 748 noclip.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"C:\Users\Admin\AppData\Local\Temp\AIO [EXTRACT]\noclip.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SoftwareDistribution\Download\ghph6.exe"C:\Windows\SoftwareDistribution\Download\ghph6.exe" -map C:\Windows\SoftwareDistribution\Download\ghph6.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5083c6c05ac5875d0b6e997e894ca07bc
SHA169d0116998e8a70db5852fccb86d45975ce88a9a
SHA25603aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca
SHA512fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf