Overview
overview
7Static
static
3Multi-Acco...er.zip
windows7-x64
1Multi-Acco...er.zip
windows10-2004-x64
1MapiProxy.dll
windows7-x64
5MapiProxy.dll
windows10-2004-x64
5MapiProxy_InUse.dll
windows7-x64
5MapiProxy_InUse.dll
windows10-2004-x64
5Multi-Checker.exe
windows7-x64
7Multi-Checker.exe
windows10-2004-x64
7NiceRAT.pyc
windows7-x64
3NiceRAT.pyc
windows10-2004-x64
3libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1libotr.dll
windows7-x64
1libotr.dll
windows10-2004-x64
1libssp-0.dll
windows7-x64
1libssp-0.dll
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 19:27
Behavioral task
behavioral1
Sample
Multi-Account_checker.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Multi-Account_checker.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
MapiProxy.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
MapiProxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
MapiProxy_InUse.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
MapiProxy_InUse.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Multi-Checker.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Multi-Checker.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
NiceRAT.pyc
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
NiceRAT.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
libGLESv2.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
libGLESv2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
libotr.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
libotr.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
libssp-0.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
libssp-0.dll
Resource
win10v2004-20240226-en
General
-
Target
NiceRAT.pyc
-
Size
74KB
-
MD5
60d9b32745d7b4d875b9be941b8bcb48
-
SHA1
2f0b63e466b66e9ec89125339413391f3ea6b239
-
SHA256
e1f89bb8e9783c08ee9e4bad4263213257a095167d8f0298b92c548eb602e91d
-
SHA512
fd59aac861b87d2e1865b5f30de425593f7bf4db977d73cc133b357b8879bba4bcee5e9fc2c886fbb6202c5e12db499a687a81de5b5a5bed25846351f0aee938
-
SSDEEP
1536:Jkx/peIUJlJ/x2IsVCR28r78sgo6wtkzrTSR/em:Jk7W2IsVP8ssgonkzrTSRd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2668 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid Process 2668 AcroRd32.exe 2668 AcroRd32.exe 2668 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 2256 wrote to memory of 2684 2256 cmd.exe 29 PID 2256 wrote to memory of 2684 2256 cmd.exe 29 PID 2256 wrote to memory of 2684 2256 cmd.exe 29 PID 2684 wrote to memory of 2668 2684 rundll32.exe 30 PID 2684 wrote to memory of 2668 2684 rundll32.exe 30 PID 2684 wrote to memory of 2668 2684 rundll32.exe 30 PID 2684 wrote to memory of 2668 2684 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD562eaa26fa564d26370dc0b09a52db318
SHA18476c71c61ae78e5ae510f1d4acab9056c8b939a
SHA2564bac2752966da51267defa795b2647b715bf24856333158d5769196575999ce6
SHA51234dc24cad6838f5d77784c1cacfbfac086bc8954791aa37383638629856e82c0c587f840feafcdaeb7037df27cfbfc07d6f328afde77ff69c2dd9aa8e094362d