Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 19:27

General

  • Target

    NiceRAT.pyc

  • Size

    74KB

  • MD5

    60d9b32745d7b4d875b9be941b8bcb48

  • SHA1

    2f0b63e466b66e9ec89125339413391f3ea6b239

  • SHA256

    e1f89bb8e9783c08ee9e4bad4263213257a095167d8f0298b92c548eb602e91d

  • SHA512

    fd59aac861b87d2e1865b5f30de425593f7bf4db977d73cc133b357b8879bba4bcee5e9fc2c886fbb6202c5e12db499a687a81de5b5a5bed25846351f0aee938

  • SSDEEP

    1536:Jkx/peIUJlJ/x2IsVCR28r78sgo6wtkzrTSR/em:Jk7W2IsVP8ssgonkzrTSRd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    62eaa26fa564d26370dc0b09a52db318

    SHA1

    8476c71c61ae78e5ae510f1d4acab9056c8b939a

    SHA256

    4bac2752966da51267defa795b2647b715bf24856333158d5769196575999ce6

    SHA512

    34dc24cad6838f5d77784c1cacfbfac086bc8954791aa37383638629856e82c0c587f840feafcdaeb7037df27cfbfc07d6f328afde77ff69c2dd9aa8e094362d