Loading ...

Play interactive tourEdit tour

Windows Analysis Report niPie.exe

Overview

General Information

Sample Name:niPie.exe
Analysis ID:502665
MD5:601fda01efb1a22e18a19793158b51fe
SHA1:925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample crashes during execution, try analyze it on another analysis machine

Process Tree

  • System is w10x64
  • niPie.exe (PID: 4528 cmdline: 'C:\Users\user\Desktop\niPie.exe' -install MD5: 601FDA01EFB1A22E18A19793158B51FE)
  • niPie.exe (PID: 5808 cmdline: 'C:\Users\user\Desktop\niPie.exe' /install MD5: 601FDA01EFB1A22E18A19793158B51FE)
    • WerFault.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • niPie.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\niPie.exe' /load MD5: 601FDA01EFB1A22E18A19793158B51FE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: niPie.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: niPie.exeStatic PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00401460
Source: WerFault.exe, 0000000B.00000002.302967214.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: niPie.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exeString found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exeString found in binary or memory: http://s.symcd.com06
Source: niPie.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exeString found in binary or memory: http://s2.symcb.com0
Source: niPie.exeString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exeString found in binary or memory: http://sf.symcd.com0&
Source: niPie.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exeString found in binary or memory: http://sv.symcd.com0&
Source: niPie.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: niPie.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: niPie.exe, 00000000.00000002.276768438.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: niPie.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: niPie.exe, 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 00000004.00000000.285248528.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 0000000C.00000000.287069798.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exeBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: C:\Users\user\Desktop\niPie.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_004021000_2_00402100
Source: niPie.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\niPie.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' -install
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /install
Source: C:\Users\user\Desktop\niPie.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /load
Source: C:\Users\user\Desktop\niPie.exeMutant created: \Sessions\1\BaseNamedObjects\_MSIExecute
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmpJump to behavior
Source: niPie.exeString found in binary or memory: /install
Source: niPie.exeString found in binary or memory: /install
Source: niPie.exeString found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\*.*Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue
Source: classification engineClassification label: clean5.winEXE@4/6@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: niPie.exeStatic PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00402930 push eax; ret 0_2_0040295E
Source: C:\Users\user\Desktop\niPie.exeCode function: 4_2_0019CE94 push esp; retf 4_2_0019CE95
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407AB8
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\niPie.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-3716
Source: C:\Users\user\Desktop\niPie.exeAPI coverage: 6.3 %
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00401460
Source: C:\Users\user\Desktop\niPie.exeAPI call chain: ExitProcess graph end nodegraph_0-3939
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: WerFault.exe, 0000000B.00000002.302919023.00000000047E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWPs}
Source: WerFault.exe, 0000000B.00000003.300055039.00000000047FA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: VMware7,1
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000B.00000002.302910267.00000000047D1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.11.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\niPie.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407AB8
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00405644
Source: Amcache.hve.11.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection2Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 502665 Sample: niPie.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 5 5 niPie.exe 2->5         started        7 niPie.exe 2->7         started        9 niPie.exe 2->9         started        process3 11 WerFault.exe 23 9 5->11         started        dnsIp4 14 192.168.2.1 unknown unknown 11->14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.