Windows Analysis Report niPie.exe

Overview

General Information

Sample Name: niPie.exe
Analysis ID: 502665
MD5: 601fda01efb1a22e18a19793158b51fe
SHA1: 925f30c4a425c133915ee92dd4c0900f31536c04
SHA256: 5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:

Most interesting Screenshot:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs

Classification

Compliance:

barindex
Uses 32bit PE files
Source: niPie.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: niPie.exe Static PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00401460
Source: WerFault.exe, 0000000B.00000002.302967214.0000000004C80000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: niPie.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exe String found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exe String found in binary or memory: http://s.symcd.com06
Source: niPie.exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exe String found in binary or memory: http://s2.symcb.com0
Source: niPie.exe String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exe String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exe String found in binary or memory: http://sf.symcd.com0&
Source: niPie.exe String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exe String found in binary or memory: http://sv.symcd.com0&
Source: niPie.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: niPie.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exe String found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exe String found in binary or memory: https://d.symcb.com/rpa0.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: niPie.exe, 00000000.00000002.276768438.00000000007AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: niPie.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: niPie.exe, 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 00000004.00000000.285248528.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 0000000C.00000000.287069798.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
One or more processes crash
Source: C:\Users\user\Desktop\niPie.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Detected potential crypto function
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00402100 0_2_00402100
Source: niPie.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\niPie.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' -install
Source: unknown Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /install
Source: C:\Users\user\Desktop\niPie.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: unknown Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /load
Source: C:\Users\user\Desktop\niPie.exe Mutant created: \Sessions\1\BaseNamedObjects\_MSIExecute
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmp Jump to behavior
Source: niPie.exe String found in binary or memory: /install
Source: niPie.exe String found in binary or memory: /install
Source: niPie.exe String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\*.*Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue
Source: classification engine Classification label: clean5.winEXE@4/6@0/1
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: niPie.exe Static PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00402930 push eax; ret 0_2_0040295E
Source: C:\Users\user\Desktop\niPie.exe Code function: 4_2_0019CE94 push esp; retf 4_2_0019CE95
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00407AB8
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\niPie.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\niPie.exe API coverage: 6.3 %
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00401460
Source: C:\Users\user\Desktop\niPie.exe API call chain: ExitProcess graph end node
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: WerFault.exe, 0000000B.00000002.302919023.00000000047E1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWPs}
Source: WerFault.exe, 0000000B.00000003.300055039.00000000047FA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000B.00000002.302910267.00000000047D1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\niPie.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00407AB8
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\niPie.exe Code function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA, 0_2_00405644

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: procexp.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 502665 Sample: niPie.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 5 5 niPie.exe 2->5         started        7 niPie.exe 2->7         started        9 niPie.exe 2->9         started        process3 11 WerFault.exe 23 9 5->11         started        dnsIp4 14 192.168.2.1 unknown unknown 11->14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1