Overview

overview

7

Static

static

3

NeverLoseCC.exe

windows7-x64

7

NeverLoseCC.exe

windows10-2004-x64

7

NiceRAT.pyc

windows7-x64

3

NiceRAT.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    48s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NiceRAT.pyc

  • Size

    74KB

  • MD5

    89dc7e5803c91398b59ce4deacd0ba33

  • SHA1

    4c2d442a1b1f9eedb21b702b76858d1fc6077950

  • SHA256

    384b440d3e33791513e98993d1775db1e5a14d212ecec70c9f6018f7fe36eef7

  • SHA512

    b092fe9c7358623d8277977b44630bab4d654e16700cf35c552641267805f9e67c6b787483b8f7719afa779cf07f23089636c7b71f601c3bb6ae9eadf84a612d

  • SSDEEP

    1536:JkxMpeIUJlJ/x2IsVCR28r78sgo6wtkzrTSR/em:JkcW2IsVP8ssgonkzrTSRd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc
    1⤵
    • Modifies registry class
    PID:1584
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.1010403750\1973016438" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce2b945b-b977-4374-a616-397a6961093e} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1848 22fca222e58 gpu
          4⤵
            PID:3004
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.1.483813414\61473624" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8a6960d-5043-430a-b66d-3dca1899c9ab} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2440 22fbd58b858 socket
            4⤵
              PID:1924
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.2.690997432\865185714" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3156 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d262de9-606a-4460-ab9c-7ec863186bec} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3452 22fcd141858 tab
              4⤵
                PID:1412
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.3.899034557\718545091" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e261e603-3fc3-49d5-bb58-d9a423b096b9} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3568 22fcd833a58 tab
                4⤵
                  PID:5048
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.4.1570130071\244490396" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5152 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb4a0d8-4c12-4909-8e5f-b9bbc1b2d675} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5164 22fd11d7958 tab
                  4⤵
                    PID:4544
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.5.400476100\1060502951" -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa5ba3c2-ea7c-4652-b892-d4ea5dfca77e} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5296 22fd1448a58 tab
                    4⤵
                      PID:2008
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.6.346828053\395610720" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86affb38-464b-407f-8099-a5b4abbf487c} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5488 22fd1447b58 tab
                      4⤵
                        PID:4900
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:5304
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\NiceRAT.pyc"
                    1⤵
                      PID:5420
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\NiceRAT.pyc
                        2⤵
                        • Checks processor information in registry
                        PID:5436
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k SDRSVC
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5852

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Discovery

                    System Information Discovery

                    2
                    T1082

                    Query Registry

                    2
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      30KB

                      MD5

                      73f86899a454921fd80dd5b4cd786c23

                      SHA1

                      7fccb13d8ed8740d2c6c9c2329cf46b0d08a793b

                      SHA256

                      3eb944f2402e3ccaf894c176e3bda0bbef7568a9ed360d002989362345c7fa0c

                      SHA512

                      efea844416911d56aeff4ac03c77cbfa6e90e011822afae671e967b5c1e6e5f946dc9cfa029f3423ccb0567f8170dc4e29f2c399200cc4eafc8ee784f4e6e446

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      1d2362ee45a034abd505c2c15e871ff9

                      SHA1

                      5df21c3e0b4862a36ba6b541f082f5d6cc467f6c

                      SHA256

                      a38aea4124190201dfac9da29f72fb683f120e8706ca96c8879298f9ffe70186

                      SHA512

                      8519d73ba521df5f975b025a4a3e72ea99b6e43b4d939564a23ef3ee865b56f038f4e1dd048070de844e388d4c629c7bb870ea6ade02b587e90b63733312208c

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      79d4fc89f18e836321b9d2c39f77e269

                      SHA1

                      eb18535d38d193710497d5a636345c0cf33786a2

                      SHA256

                      ab85f25baf80c3936ed06f48a1561df3445e33fbaa9e0bf61c2419e09aab1920

                      SHA512

                      b6e182c814679bf500d2d8bcdc1610ef8a81fc8175ff65e6fecfc0d7d3093639964995c81b04606560cf97f60e819d5123629ce6e5c0ecd7ff2e427293262f93

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      3f4d2ea3afffbe9d88559b514a69826c

                      SHA1

                      23f3a178740f7ae9d5b8a5fad9af59f07413ac61

                      SHA256

                      f5fcc968b67b531b0e8f9437b7baeb58a26635627df01b77584a3b706cae713a

                      SHA512

                      ec0d9d93558f0c1ea6b3204f89a37b535e3e37514f07f97e7cb644f0ad89602f0b70c0efeacbe0922164d9f8b4467e1d51572dbb652b74d325eff2378800dae8

                      Download Submit
                    • C:\Users\Admin\Downloads\8dQHa1BM.pyc.part
                      Filesize

                      74KB

                      MD5

                      89dc7e5803c91398b59ce4deacd0ba33

                      SHA1

                      4c2d442a1b1f9eedb21b702b76858d1fc6077950

                      SHA256

                      384b440d3e33791513e98993d1775db1e5a14d212ecec70c9f6018f7fe36eef7

                      SHA512

                      b092fe9c7358623d8277977b44630bab4d654e16700cf35c552641267805f9e67c6b787483b8f7719afa779cf07f23089636c7b71f601c3bb6ae9eadf84a612d

                      Download Submit