Analysis
-
max time kernel
48s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 10:50
Behavioral task
behavioral1
Sample
NeverLoseCC.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
NeverLoseCC.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NiceRAT.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
NiceRAT.pyc
Resource
win10v2004-20240426-en
General
-
Target
NiceRAT.pyc
-
Size
74KB
-
MD5
89dc7e5803c91398b59ce4deacd0ba33
-
SHA1
4c2d442a1b1f9eedb21b702b76858d1fc6077950
-
SHA256
384b440d3e33791513e98993d1775db1e5a14d212ecec70c9f6018f7fe36eef7
-
SHA512
b092fe9c7358623d8277977b44630bab4d654e16700cf35c552641267805f9e67c6b787483b8f7719afa779cf07f23089636c7b71f601c3bb6ae9eadf84a612d
-
SSDEEP
1536:JkxMpeIUJlJ/x2IsVCR28r78sgo6wtkzrTSR/em:JkcW2IsVP8ssgonkzrTSRd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 10 IoCs
Processes:
OpenWith.exefirefox.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\.pyc OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\pyc_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\pyc_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\pyc_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\pyc_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4448 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
firefox.exesvchost.exedescription pid process Token: SeDebugPrivilege 5084 firefox.exe Token: SeDebugPrivilege 5084 firefox.exe Token: SeDebugPrivilege 5084 firefox.exe Token: SeDebugPrivilege 5084 firefox.exe Token: SeBackupPrivilege 5852 svchost.exe Token: SeRestorePrivilege 5852 svchost.exe Token: SeSecurityPrivilege 5852 svchost.exe Token: SeTakeOwnershipPrivilege 5852 svchost.exe Token: 35 5852 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exefirefox.exepid process 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 4448 OpenWith.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe 5084 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exefirefox.exefirefox.exedescription pid process target process PID 4448 wrote to memory of 2872 4448 OpenWith.exe firefox.exe PID 4448 wrote to memory of 2872 4448 OpenWith.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 5084 2872 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 3004 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 1924 5084 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.1010403750\1973016438" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce2b945b-b977-4374-a616-397a6961093e} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1848 22fca222e58 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.1.483813414\61473624" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8a6960d-5043-430a-b66d-3dca1899c9ab} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2440 22fbd58b858 socket4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.2.690997432\865185714" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3156 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d262de9-606a-4460-ab9c-7ec863186bec} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3452 22fcd141858 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.3.899034557\718545091" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e261e603-3fc3-49d5-bb58-d9a423b096b9} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3568 22fcd833a58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.4.1570130071\244490396" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5152 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb4a0d8-4c12-4909-8e5f-b9bbc1b2d675} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5164 22fd11d7958 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.5.400476100\1060502951" -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa5ba3c2-ea7c-4652-b892-d4ea5dfca77e} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5296 22fd1448a58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.6.346828053\395610720" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86affb38-464b-407f-8099-a5b4abbf487c} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5488 22fd1447b58 tab4⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\NiceRAT.pyc"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\NiceRAT.pyc2⤵
- Checks processor information in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD573f86899a454921fd80dd5b4cd786c23
SHA17fccb13d8ed8740d2c6c9c2329cf46b0d08a793b
SHA2563eb944f2402e3ccaf894c176e3bda0bbef7568a9ed360d002989362345c7fa0c
SHA512efea844416911d56aeff4ac03c77cbfa6e90e011822afae671e967b5c1e6e5f946dc9cfa029f3423ccb0567f8170dc4e29f2c399200cc4eafc8ee784f4e6e446
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.jsFilesize
6KB
MD51d2362ee45a034abd505c2c15e871ff9
SHA15df21c3e0b4862a36ba6b541f082f5d6cc467f6c
SHA256a38aea4124190201dfac9da29f72fb683f120e8706ca96c8879298f9ffe70186
SHA5128519d73ba521df5f975b025a4a3e72ea99b6e43b4d939564a23ef3ee865b56f038f4e1dd048070de844e388d4c629c7bb870ea6ade02b587e90b63733312208c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD579d4fc89f18e836321b9d2c39f77e269
SHA1eb18535d38d193710497d5a636345c0cf33786a2
SHA256ab85f25baf80c3936ed06f48a1561df3445e33fbaa9e0bf61c2419e09aab1920
SHA512b6e182c814679bf500d2d8bcdc1610ef8a81fc8175ff65e6fecfc0d7d3093639964995c81b04606560cf97f60e819d5123629ce6e5c0ecd7ff2e427293262f93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD53f4d2ea3afffbe9d88559b514a69826c
SHA123f3a178740f7ae9d5b8a5fad9af59f07413ac61
SHA256f5fcc968b67b531b0e8f9437b7baeb58a26635627df01b77584a3b706cae713a
SHA512ec0d9d93558f0c1ea6b3204f89a37b535e3e37514f07f97e7cb644f0ad89602f0b70c0efeacbe0922164d9f8b4467e1d51572dbb652b74d325eff2378800dae8
-
C:\Users\Admin\Downloads\8dQHa1BM.pyc.partFilesize
74KB
MD589dc7e5803c91398b59ce4deacd0ba33
SHA14c2d442a1b1f9eedb21b702b76858d1fc6077950
SHA256384b440d3e33791513e98993d1775db1e5a14d212ecec70c9f6018f7fe36eef7
SHA512b092fe9c7358623d8277977b44630bab4d654e16700cf35c552641267805f9e67c6b787483b8f7719afa779cf07f23089636c7b71f601c3bb6ae9eadf84a612d