Windows Analysis Report niPie.exe

Overview

General Information

Sample Name:	niPie.exe
Analysis ID:	502665
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Found evasive API chain (may stop execution after accessing registry keys)

Sample file is different than original file name gathered from version info

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: niPie.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00401460

Source: niPie.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exe	String found in binary or memory: http://s.symcd.com06
Source: niPie.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exe	String found in binary or memory: http://s2.symcb.com0
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exe	String found in binary or memory: http://sf.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exe	String found in binary or memory: http://sv.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Uses 32bit PE files

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: niPie.exe, 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00402100

0_2_00402100

Source: niPie.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\niPie.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\.Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\niPie.exe

Mutant created: \Sessions\1\BaseNamedObjects\_MSIExecute

Source: niPie.exe

Static PE information: certificate valid

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00407AB8

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00402930 push eax; ret

0_2_0040295E

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\niPie.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\niPie.exe

API coverage: 6.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00401460

Source: C:\Users\user\Desktop\niPie.exe

API call chain: ExitProcess graph end node

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00407AB8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,

0_2_00405644

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	502665
Product:	CloudBasic
Start time:	08:36:49
Start date:	14.10.2021
Sample:	niPie.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report niPie.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map