Overview

overview

7

Static

static

3

nice.exe

windows7-x64

6

nice.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230705-en
  • resource tags

    arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2023, 21:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    nice.exe

  • Size

    12KB

  • MD5

    e1ab7e9de0652813a3d1c4500a72c561

  • SHA1

    a5fd98050674055d2e5588f3a088f2ad467333a5

  • SHA256

    46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4

  • SHA512

    da7fe2cf303ee72a622b6c51078f67119bca590586bb1f298335b3a3820e00ad43918ad5da97ead1eb0cbbd02854e6584e8408d3f6d23898073909171dc150e1

  • SSDEEP

    192:HMDLTxWDf/pd3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nice.exe
    "C:\Users\Admin\AppData\Local\Temp\nice.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2264
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2296
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2644
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:2904
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2112
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b1bba48aed7f1249726d86a26367a914

      SHA1

      dc585a80537d340fd3766ce4c34fa5866f30a19f

      SHA256

      c96e944ad9cea2b6aa546d3d870a6c436c99b5f631352de926c3da73f4162b32

      SHA512

      2aaae8d5a3b94ff580283367fd1999c9162bb0fe0f6ae2585b5d17ad426324ee92a037aba1fa9af2456d851b068b00874feb784e134830b41e4daed5d1cf535b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      80f948512296bace18681dc7b64392c5

      SHA1

      bb041e51d02b3fff6dbeeda9aca3332f227ad0f1

      SHA256

      d739a2f616ba98c30f0886c9829293b7a329dd065cde0ad6ee8c6b93943e3f90

      SHA512

      c099ee879f5359c5630db2c5af8936eaa8eb763b7a1e59f32e03eb553585fe27ef1ba793e64ee67fa2b4642f6406c8417d8798dbe0fd3d5ac8907b2eb9d2b8d9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3fff3bd5b5b99054a5d946134134dc92

      SHA1

      ac77acb12f90521fd435d6dc48a297c83ece914b

      SHA256

      ac60a4b9446940229bdeb6687be82bfc5347da2219a4bb9d311cdf041b4314ee

      SHA512

      8d91cf8dd0bfee6714469f3e71ac60a435effacc1c4dd74abf27f463b4683f81c7bb543efe2ca2c6a6291c5e2548476135a64acc7a7e42d93f8a6e76d546da68

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7c768817da3b936495a238bbc5dcfbe0

      SHA1

      430060ed182fa372cba4088c66266cd3c0cec462

      SHA256

      2363c7ebdcff6ec04a96fe52a3f620f437a8b4819cd635fa8d41ade51d3011f0

      SHA512

      25c98db0317cb6fcca301f8d2d9da60e9d7d22ea2fc6c9827cd2e32cf43356dbf70796c9b907d033812ec79c926177b2f2f496c9d16228bceb9dcfd11a6aa765

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      85fdceb0b4b6ded17b208bfe5b374841

      SHA1

      1983fe77ac789059594bb3945ed6793686a2ba79

      SHA256

      77c209a75a244df0407d2e87cd64c68de240b81f755280d93be9423236190a89

      SHA512

      2ba295db89f02144be9465ddf0389f1642e2bc75afc1944f375475514e6842850d25599d57fc6a62c42f5a36427a1b7c1426809ec50767634d2b25e5be3c959d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      74014775120985c65fc30fb38a652e8c

      SHA1

      bc6bb9d1fb5bfa0ddc6711488daa5123d3da4888

      SHA256

      ffe58f611973554323c4ac1c09be7d2f167b5e23f5065319c0bd8c3058291e1a

      SHA512

      49e51b897919308971f56a848ea299f78823f71259a49f26e12062660fb52f7aa486ccc866d4eae504b304efad99d80b32a707d0d8d924ff9f8a747b2b1a67ca

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c25852b6b8ee67aae2048564debc2570

      SHA1

      e6b7936e24bfc081271fc6b25b832e10f4d3f2fd

      SHA256

      06eb280ddc2c4207d1daf5b313ba5c7aa6753a17d2e5507005b7d2802c83ff21

      SHA512

      a2e944c42a60a074ae77468b0509707c697af69c5ba61c68e46c54a1e11cbaedc4ad15194939cccee2024dcfbf3767cb4f9e08335f30386b2eba0c82b2d9cf9d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b72c32df3faef98738c0aead2ceb1ed2

      SHA1

      8941c7bebf571a48dc12aab756e07ddbf613129e

      SHA256

      5fc57980c830bf9c68fcc76c1a355795a2db8e47c8ae5f614043c4798866e268

      SHA512

      44b003896406d1ac2d06547a11f3533fbe2bad90db024bcc5b43014c685a5d66b28235bf1ea33fe1d0505bca49f4becce0a8c3baa26af9eeb1fd732d05294c5a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      85c9dc6f9442671fb18612ae706763bb

      SHA1

      40d92ccfd36daa04d1f33c6e505c6dde6dada4f1

      SHA256

      82bbdefcb46bdad8ea31f18c70a232275dd5170fa09674a878414a4a24e88fbd

      SHA512

      a46f0c56aa85a492f47e67668599f20b57f597f2f9002d55e51b661a3f958356580cdc26f64cdab31d6e46c8f1c84d1364b0f69acdbcbcc4cb37addfa4364e09

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      04ebb40fb1408e145485a385a983df96

      SHA1

      1c0c5dcbc93f5f85efe4679336e5a9b3dd5bacdc

      SHA256

      3becae413422d23947455ad18707eb874b32b95d8895009014478619a6ff1826

      SHA512

      c6932f8ad7be1ec3109ba6bee9fc754cc70502a6108d056c90687e31f007513b5bc30d6d9923d8e9ac2bae91cdd350c3b86e27b18f2bfe179a911011b44caca7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ODMKYLLU\www.google[1].xml
      Filesize

      99B

      MD5

      e7aa3d330b5f1b982fd0e44ab178105d

      SHA1

      5da6c4d1b8570d5539bca6735e1cd7ab9ad37036

      SHA256

      6f99689e304d24210392209e4e6653ae8ebd6abf8e73768849d8f65702b64013

      SHA512

      4da98fc46a4391c1e0e7ceba3f3b9a2ddbf73681b0d45d8060dd4207c2bceccaa8d28584dc4c3c793b1f0929857f3c77c40decb015979a1cb1a13a31c8ad7693

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\8288kg9\imagestore.dat
      Filesize

      9KB

      MD5

      df8f44b2f53ef7a31391f00194520c89

      SHA1

      da879f810be3c26043b6fe621ef005e5a37e125b

      SHA256

      03d535806a47feb7006bbc994cfc7134fd182f65e57a79182ba917e0e61adb6e

      SHA512

      2a360d7a3adab34d5dfad9eae1e7344a17f67cbf7adc8aa5090c0b9dd3b10aa88afeeb44884356afe01c08c1a97ac211fa3d3f4f98e73846d45e6ca9921b52b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5I9HDCK2\recaptcha__en[1].js
      Filesize

      427KB

      MD5

      0412c030048db82d958eadbb899b0b6f

      SHA1

      e824e0fc5680eefe1141418a61b63dfb6bfa1f8a

      SHA256

      237f4a5b7b8e81b7ad01c54cbb6205368aa9d55e1d6fd1ef38454facdc01353c

      SHA512

      52b7db6b9b10ffc74810518205bcc7cd317b9634ae8a5a7d8670832fed1a6e26cce783402e8aee0024c09c2f7f44da83d74e6ff2382516b35dd1a884a6d5289f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DYZM3CCC\styles__ltr[1].css
      Filesize

      55KB

      MD5

      83f90c5a4c20afb44429fa346fbadc10

      SHA1

      7c278ec721d3880fbafaadeba9ee80bdf294b014

      SHA256

      952833e41ba7a4b64c31a2d7b07dde81bf5bbacf5cbb967821cfe459d0c4a0d8

      SHA512

      4f0d19678a6758e67cb82652d49ee92a3646c3b4b68b93253c3e468e88506bb8ad78942d7be244b390bdd29a0d00026ad561c040c1b557067edc7887fe7119ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SFHTI546\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab16AF.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar16C1.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VDDHXA3V.txt
      Filesize

      601B

      MD5

      45234bf97ec55468d9f898660aced273

      SHA1

      e7c11c48f5182743679b447b0e7aed62f0027751

      SHA256

      abd9be1b2069a52fc5231f691112f18c8bb3a31d780d3b731ba881b51791fed8

      SHA512

      e530ff3f593a70792982e5856a915df3ed1a3ac4e77f02878bbfe2362cdbb7e9aa033b78ce2e04f43011b18c798242fc0344c1294178ffd08973482ba632db33

      Download Submit

    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit