{"description": "Enterprise techniques used by NOOPLDR, ATT&CK software S9025 (v1.0)", "name": "NOOPLDR (S9025)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1140", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can decrypt its payload prior to execution.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can hide services used to aid execution.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can be executed via sideloading.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can delete a file containing configuration instructions after use.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can store its payload in the Registry using a random hex string in `HKCU\\SOFTWARE\\Microsoft\\COM3`.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can use native APIs `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx` to aid process injection.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can use control flow flattening to help hide malicious code.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [NOOPLDR](https://attack.mitre.org/software/S9025) payload is encrypted with AES256-CBC.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can insert junk code to obfuscate malicious payloads.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[NOOPLDR](https://attack.mitre.org/software/S9025) can discover the device ID and hostname from the targeted machine to use for encryption keys.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NOOPLDR", "color": "#66b1ff"}]}