Overview

overview

7

Static

static

3

nice.exe

windows7-x64

6

nice.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230705-en
  • resource tags

    arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2023, 21:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nice.exe

  • Size

    12KB

  • MD5

    e1ab7e9de0652813a3d1c4500a72c561

  • SHA1

    a5fd98050674055d2e5588f3a088f2ad467333a5

  • SHA256

    46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4

  • SHA512

    da7fe2cf303ee72a622b6c51078f67119bca590586bb1f298335b3a3820e00ad43918ad5da97ead1eb0cbbd02854e6584e8408d3f6d23898073909171dc150e1

  • SSDEEP

    192:HMDLTxWDf/pd3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nice.exe
    "C:\Users\Admin\AppData\Local\Temp\nice.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2264
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2296
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2644
    • C:\Users\Admin\AppData\Local\Temp\nice.exe
      "C:\Users\Admin\AppData\Local\Temp\nice.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:2904
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2112
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

    Network

    • flag-us
      DNS
      google.co.ck
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      google.co.ck
      IN A
      Response
      google.co.ck
      IN A
      142.250.179.164
    • flag-nl
      GET
      https://google.co.ck/search?q=how+2+buy+weed
      IEXPLORE.EXE
      Remote address:
      142.250.179.164:443
      Request
      GET /search?q=how+2+buy+weed HTTP/1.1
      Accept: text/html, application/xhtml+xml, */*
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: google.co.ck
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      Location: https://www.google.com/sorry/index?continue=https://google.co.ck/search%3Fq%3Dhow%2B2%2Bbuy%2Bweed&q=EgSaPUcNGKvknKUGIjCGrdfWVn8ZrSI0nG_uMlALxVETg-9-Wrk1p8ukmLeqBxd17tMkZMkcaQAFk_bAwmgyAXJaAUM
      x-hallmonitor-challenge: CgwIq-ScpQYQvI-W4AESBJo9Rw0
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-GLqHpkSEckUXEo1ejszRGA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/xsrp
      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
      Date: Thu, 06 Jul 2023 21:29:15 GMT
      Server: gws
      Content-Length: 393
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: 1P_JAR=2023-07-06-21; expires=Sat, 05-Aug-2023 21:29:15 GMT; path=/; domain=.google.co.ck; Secure; SameSite=none
      Set-Cookie: AEC=Ad49MVGFZdWDIKKQ2Meuzifq_LACy1zlMqiwGjGUZHpxMIF6eR1vlnmZCRk; expires=Tue, 02-Jan-2024 21:29:15 GMT; path=/; domain=.google.co.ck; Secure; HttpOnly; SameSite=lax
      Set-Cookie: NID=511=VR_1Gha8XWzPTJZ1jqAmRSX33g_gwIus-XB_z3qHRIIEbTdpM4bBTAV5813lN0F5xqLVyBkqQG0ZyliPfDerqmZYiCdGClkbiLN481J-3PHnuU56jfTflVjST02xbU7JGEr73AsR93oESnA3M5rpZOqe5lSrp5QtC6d8w6-YsfQ; expires=Fri, 05-Jan-2024 21:29:15 GMT; path=/; domain=.google.co.ck; Secure; HttpOnly; SameSite=none
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • 142.250.179.164:443
      google.co.ck
      tls
      IEXPLORE.EXE
      663 B
       4.9kB
       8
      9
    • 142.250.179.164:443
      https://google.co.ck/search?q=how+2+buy+weed
      tls, http
      IEXPLORE.EXE
      1.1kB
       7.4kB
       11
      14

      HTTP Request

      GET https://google.co.ck/search?q=how+2+buy+weed

      HTTP Response

      302
    • 204.79.197.200:443
      ieonline.microsoft.com
      tls
      iexplore.exe
      707 B
       7.6kB
       8
      11
    • 8.8.8.8:53
      google.co.ck
      dns
      IEXPLORE.EXE
      58 B
       74 B
       1
      1

      DNS Request

      google.co.ck

      DNS Response

      142.250.179.164

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b1bba48aed7f1249726d86a26367a914

      SHA1

      dc585a80537d340fd3766ce4c34fa5866f30a19f

      SHA256

      c96e944ad9cea2b6aa546d3d870a6c436c99b5f631352de926c3da73f4162b32

      SHA512

      2aaae8d5a3b94ff580283367fd1999c9162bb0fe0f6ae2585b5d17ad426324ee92a037aba1fa9af2456d851b068b00874feb784e134830b41e4daed5d1cf535b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      80f948512296bace18681dc7b64392c5

      SHA1

      bb041e51d02b3fff6dbeeda9aca3332f227ad0f1

      SHA256

      d739a2f616ba98c30f0886c9829293b7a329dd065cde0ad6ee8c6b93943e3f90

      SHA512

      c099ee879f5359c5630db2c5af8936eaa8eb763b7a1e59f32e03eb553585fe27ef1ba793e64ee67fa2b4642f6406c8417d8798dbe0fd3d5ac8907b2eb9d2b8d9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3fff3bd5b5b99054a5d946134134dc92

      SHA1

      ac77acb12f90521fd435d6dc48a297c83ece914b

      SHA256

      ac60a4b9446940229bdeb6687be82bfc5347da2219a4bb9d311cdf041b4314ee

      SHA512

      8d91cf8dd0bfee6714469f3e71ac60a435effacc1c4dd74abf27f463b4683f81c7bb543efe2ca2c6a6291c5e2548476135a64acc7a7e42d93f8a6e76d546da68

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7c768817da3b936495a238bbc5dcfbe0

      SHA1

      430060ed182fa372cba4088c66266cd3c0cec462

      SHA256

      2363c7ebdcff6ec04a96fe52a3f620f437a8b4819cd635fa8d41ade51d3011f0

      SHA512

      25c98db0317cb6fcca301f8d2d9da60e9d7d22ea2fc6c9827cd2e32cf43356dbf70796c9b907d033812ec79c926177b2f2f496c9d16228bceb9dcfd11a6aa765

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      85fdceb0b4b6ded17b208bfe5b374841

      SHA1

      1983fe77ac789059594bb3945ed6793686a2ba79

      SHA256

      77c209a75a244df0407d2e87cd64c68de240b81f755280d93be9423236190a89

      SHA512

      2ba295db89f02144be9465ddf0389f1642e2bc75afc1944f375475514e6842850d25599d57fc6a62c42f5a36427a1b7c1426809ec50767634d2b25e5be3c959d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      74014775120985c65fc30fb38a652e8c

      SHA1

      bc6bb9d1fb5bfa0ddc6711488daa5123d3da4888

      SHA256

      ffe58f611973554323c4ac1c09be7d2f167b5e23f5065319c0bd8c3058291e1a

      SHA512

      49e51b897919308971f56a848ea299f78823f71259a49f26e12062660fb52f7aa486ccc866d4eae504b304efad99d80b32a707d0d8d924ff9f8a747b2b1a67ca

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c25852b6b8ee67aae2048564debc2570

      SHA1

      e6b7936e24bfc081271fc6b25b832e10f4d3f2fd

      SHA256

      06eb280ddc2c4207d1daf5b313ba5c7aa6753a17d2e5507005b7d2802c83ff21

      SHA512

      a2e944c42a60a074ae77468b0509707c697af69c5ba61c68e46c54a1e11cbaedc4ad15194939cccee2024dcfbf3767cb4f9e08335f30386b2eba0c82b2d9cf9d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b72c32df3faef98738c0aead2ceb1ed2

      SHA1

      8941c7bebf571a48dc12aab756e07ddbf613129e

      SHA256

      5fc57980c830bf9c68fcc76c1a355795a2db8e47c8ae5f614043c4798866e268

      SHA512

      44b003896406d1ac2d06547a11f3533fbe2bad90db024bcc5b43014c685a5d66b28235bf1ea33fe1d0505bca49f4becce0a8c3baa26af9eeb1fd732d05294c5a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      85c9dc6f9442671fb18612ae706763bb

      SHA1

      40d92ccfd36daa04d1f33c6e505c6dde6dada4f1

      SHA256

      82bbdefcb46bdad8ea31f18c70a232275dd5170fa09674a878414a4a24e88fbd

      SHA512

      a46f0c56aa85a492f47e67668599f20b57f597f2f9002d55e51b661a3f958356580cdc26f64cdab31d6e46c8f1c84d1364b0f69acdbcbcc4cb37addfa4364e09

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      04ebb40fb1408e145485a385a983df96

      SHA1

      1c0c5dcbc93f5f85efe4679336e5a9b3dd5bacdc

      SHA256

      3becae413422d23947455ad18707eb874b32b95d8895009014478619a6ff1826

      SHA512

      c6932f8ad7be1ec3109ba6bee9fc754cc70502a6108d056c90687e31f007513b5bc30d6d9923d8e9ac2bae91cdd350c3b86e27b18f2bfe179a911011b44caca7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ODMKYLLU\www.google[1].xml
      Filesize

      99B

      MD5

      e7aa3d330b5f1b982fd0e44ab178105d

      SHA1

      5da6c4d1b8570d5539bca6735e1cd7ab9ad37036

      SHA256

      6f99689e304d24210392209e4e6653ae8ebd6abf8e73768849d8f65702b64013

      SHA512

      4da98fc46a4391c1e0e7ceba3f3b9a2ddbf73681b0d45d8060dd4207c2bceccaa8d28584dc4c3c793b1f0929857f3c77c40decb015979a1cb1a13a31c8ad7693

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\8288kg9\imagestore.dat
      Filesize

      9KB

      MD5

      df8f44b2f53ef7a31391f00194520c89

      SHA1

      da879f810be3c26043b6fe621ef005e5a37e125b

      SHA256

      03d535806a47feb7006bbc994cfc7134fd182f65e57a79182ba917e0e61adb6e

      SHA512

      2a360d7a3adab34d5dfad9eae1e7344a17f67cbf7adc8aa5090c0b9dd3b10aa88afeeb44884356afe01c08c1a97ac211fa3d3f4f98e73846d45e6ca9921b52b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5I9HDCK2\recaptcha__en[1].js
      Filesize

      427KB

      MD5

      0412c030048db82d958eadbb899b0b6f

      SHA1

      e824e0fc5680eefe1141418a61b63dfb6bfa1f8a

      SHA256

      237f4a5b7b8e81b7ad01c54cbb6205368aa9d55e1d6fd1ef38454facdc01353c

      SHA512

      52b7db6b9b10ffc74810518205bcc7cd317b9634ae8a5a7d8670832fed1a6e26cce783402e8aee0024c09c2f7f44da83d74e6ff2382516b35dd1a884a6d5289f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DYZM3CCC\styles__ltr[1].css
      Filesize

      55KB

      MD5

      83f90c5a4c20afb44429fa346fbadc10

      SHA1

      7c278ec721d3880fbafaadeba9ee80bdf294b014

      SHA256

      952833e41ba7a4b64c31a2d7b07dde81bf5bbacf5cbb967821cfe459d0c4a0d8

      SHA512

      4f0d19678a6758e67cb82652d49ee92a3646c3b4b68b93253c3e468e88506bb8ad78942d7be244b390bdd29a0d00026ad561c040c1b557067edc7887fe7119ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SFHTI546\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab16AF.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar16C1.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VDDHXA3V.txt
      Filesize

      601B

      MD5

      45234bf97ec55468d9f898660aced273

      SHA1

      e7c11c48f5182743679b447b0e7aed62f0027751

      SHA256

      abd9be1b2069a52fc5231f691112f18c8bb3a31d780d3b731ba881b51791fed8

      SHA512

      e530ff3f593a70792982e5856a915df3ed1a3ac4e77f02878bbfe2362cdbb7e9aa033b78ce2e04f43011b18c798242fc0344c1294178ffd08973482ba632db33

      Download Submit

    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.