Windows Analysis Report niPie.exe
Overview
General Information
Detection
Score: | 5 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice |
---|
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample crashes during execution, try analyze it on another analysis machine |
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00401460 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Code function: | 0_2_00402100 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040295E | |
Source: | Code function: | 4_2_0019CE95 |
Source: | Code function: | 0_2_00407AB8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-3716 |
Source: | API coverage: |
Source: | Code function: | 0_2_00401460 |
Source: | API call chain: | graph_0-3939 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00407AB8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00405644 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Command and Scripting Interpreter2 | Path Interception | Process Injection2 | Virtualization/Sandbox Evasion1 | Input Capture1 | Security Software Discovery21 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection2 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 502665 |
Start date: | 14.10.2021 |
Start time: | 08:40:23 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | niPie.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Cmdline fuzzy |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean5.winEXE@4/6@0/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:41:26 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8703585320712506 |
Encrypted: | false |
SSDEEP: | 192:wIBNLyipHkgdbcDhRjgIh/u7sYS274ItU:wcNeiZk0c7jj/u7sYX4ItU |
MD5: | C0D7310843F8F4325C1610FDDA4668E4 |
SHA1: | D4DFA0568167234554D7F1BADF51561DD2D2BA72 |
SHA-256: | 6C26895BCFD43A4A1D61A701F664F5B6264B96335A8A71670F83D33B38405E6A |
SHA-512: | D7E4F3F7EE44964FDB97D4B087FAA2401277EAD1529E4873D9F7F4498DEC637A6FC5B1D14C34B54C22532316AC767405110377D0D16BA4FE4CE23CD81868C957 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54596 |
Entropy (8bit): | 2.059817025510805 |
Encrypted: | false |
SSDEEP: | 192:1+4fNhNi0OC4OV6e6bzyN3SzEkMg96CQIhu2YlXalyCBKb:Bl+CfBX1bIhLyC8 |
MD5: | B9D0C19927DC3FC2628C9ACBCD0EA583 |
SHA1: | B056DEEF8A7A09F2BAB02DCD212D78466AE6579F |
SHA-256: | D9BCDBA6ACD224A38C1DAF72FDA6590EFE7E013313452D72538E3FF3C0572653 |
SHA-512: | 97F22935AC3882A0E500B0DB213BB7E4D6264D7D87446BE551E3194002EA323C6E62E5B0948AE48313D1A546CC8DDF0CE00C9BB4CCA441CD2EE816B936BDFD01 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8284 |
Entropy (8bit): | 3.6902502451531936 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNif66rY6YFPSUyogmfRSqXh7CprRc89b2vsfINjym:RrlsNiy606YtSUyogmfRSXJ2UfINH |
MD5: | C197E246B6EBB950F52D55C6D5B459F4 |
SHA1: | BBBFDC67A29B9F7967EB16DF1BC7F4B984FDA502 |
SHA-256: | E9670D33B9E2A1F9B58E786B18C8932CF7541A02DD4F150C8803315151AA37EF |
SHA-512: | ADC44F6500E8C3E4BEDD947688DDEA258B139652749F7F9D4B4507BB722F969E329E81DB8EFF4EEFF965FD81C538222A433467870216B1F3AFFDD41D3459115F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4544 |
Entropy (8bit): | 4.440570598188364 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsvJgtWI9iMWSC8BWM8fm8M4J46qE+L/bFbX+q8qsS7R/nhws60Xi8d:uITfR5lSNUxJ6Fws60Xi8d |
MD5: | 665AACD7328A47617D15C599E633FA94 |
SHA1: | 1D6A3AE0B676DFB321924FF0E5CA24789ABB7336 |
SHA-256: | FA858B206ECE5CE3843078D4C1E489E086549140118E61652D1C9BBDA1C6A6AB |
SHA-512: | 89EE7E52E7157FB87E885A80DD40DD93DBE3BDA0DF9A12EA3125ED5E0D13BF3F8F40CAB187DC553285F4A95E637378C925E54246F5F31DE8DC5433B405E50A94 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.275087550666143 |
Encrypted: | false |
SSDEEP: | 12288:FipMLJvchtjAw8z7nZ38GMARuhauEhP16N6xcqUEbGt4pVs1E9dZZd:UpMLJvchtjAw8zXN |
MD5: | 2C419893782E19E68C6EA20E61ADE4FD |
SHA1: | 684AF6925498E41E88494D73E2D447DB019EEA73 |
SHA-256: | 4CEC7CBC5FF3A479E46BC0004A2DE16AD1CC45B998E527DE792CC85C0C57D7B0 |
SHA-512: | 84A1721FBFD55B3E8147F0126A5E0577D12C8DA31C0356E144F7B48BEA86951BBC58E7EC121591C5DE46156AA4A037C9CC636A324B857E4A292AB718B3C12D87 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 4.183354901830507 |
Encrypted: | false |
SSDEEP: | 768:nnUdC0MwqhBrOFftx1xJ4X7fFK7bBqXIeq5QMVyi6a74LXHuzEsFqb+v:VfB2xA/CReOhqC |
MD5: | 23FFAE33C71AB2637BA27D8CF7225580 |
SHA1: | 1A345D8BBE40B02FB15DFBD9CF3EF167A3D695F1 |
SHA-256: | DB922318220427C790ED4E8F88672BD213D8AD2FF1D2C67C79A1B3F58F19D68E |
SHA-512: | AA414C8B6D0646FB4A58D45108EEC1F1CD08F37275C534987B6B135424D0B249F48E7F54DC51E209B0205DFE3D329C97BEE2136DB3CCC8D57C56BA54D108F79F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.892836892157124 |
TrID: |
|
File name: | niPie.exe |
File size: | 73664 |
MD5: | 601fda01efb1a22e18a19793158b51fe |
SHA1: | 925f30c4a425c133915ee92dd4c0900f31536c04 |
SHA256: | 5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3 |
SHA512: | 0db9ac45dfa3e4530fa4a945e3cac301e1ee8b26fc2690739741d72e1b7712e205f4bf83463e51c70df141af663ffa54c4e281d93f3bc386487a42eb1778a03c |
SSDEEP: | 768:gjan8GnhwDHcnrkqAAO8IEwm8iNWTGzvtKsDsoxm3whvI:gjanoDGrkbAO80mhN/ZKsDnmghw |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..)k..zk..zk..z...zh..z...zx..z...zW..z...zc..z2..zl..zk..z,..zm..zo..z...zj..z...zj..zRichk..z................PE..L...j.I>... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x402d93 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x3E49816A [Tue Feb 11 23:04:10 2003 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 8fcbb82d712dc622f705d3815ebb3266 |
Authenticode Signature |
---|
Signature Valid: | true |
Signature Issuer: | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1C8D1A5469552A41DE716974A986D673 |
Thumbprint SHA-1: | 70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111 |
Thumbprint SHA-256: | 4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007 |
Serial: | 61C3329855F6476CFCB4FCF359E55909 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 00409140h |
push 004058E4h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 58h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
call dword ptr [00409094h] |
xor edx, edx |
mov dl, ah |
mov dword ptr [0040CBE0h], edx |
mov ecx, eax |
and ecx, 000000FFh |
mov dword ptr [0040CBDCh], ecx |
shl ecx, 08h |
add ecx, edx |
mov dword ptr [0040CBD8h], ecx |
shr eax, 10h |
mov dword ptr [0040CBD4h], eax |
xor esi, esi |
push esi |
call 00007FA6DC9FFF2Fh |
pop ecx |
test eax, eax |
jne 00007FA6DC9FD59Ah |
push 0000001Ch |
call 00007FA6DC9FD645h |
pop ecx |
mov dword ptr [ebp-04h], esi |
call 00007FA6DC9FFBFAh |
call dword ptr [00409090h] |
mov dword ptr [0040E108h], eax |
call 00007FA6DC9FFAB8h |
mov dword ptr [0040CBB4h], eax |
call 00007FA6DC9FF861h |
call 00007FA6DC9FF7A3h |
call 00007FA6DC9FF4C0h |
mov dword ptr [ebp-30h], esi |
lea eax, dword ptr [ebp-5Ch] |
push eax |
call dword ptr [0040908Ch] |
call 00007FA6DC9FF734h |
mov dword ptr [ebp-64h], eax |
test byte ptr [ebp-30h], 00000001h |
je 00007FA6DC9FD598h |
movzx eax, word ptr [ebp-2Ch] |
jmp 00007FA6DC9FD595h |
push 0000000Ah |
pop eax |
push eax |
push dword ptr [ebp-64h] |
push esi |
push esi |
call dword ptr [00409088h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x9bc0 | 0x72 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9548 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf000 | 0xa20 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xe000 | 0x3fc0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x7722 | 0x8000 | False | 0.566650390625 | COM executable for DOS | 6.39486324672 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x9000 | 0xc32 | 0x1000 | False | 0.376708984375 | data | 4.52160108025 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x410c | 0x3000 | False | 0.0714518229167 | data | 0.996089583315 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xf000 | 0xa20 | 0x1000 | False | 0.26318359375 | data | 4.15843705735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0xf130 | 0xa0 | data | English | United States |
RT_STRING | 0xf1d0 | 0x144 | data | German | Germany |
RT_STRING | 0xf314 | 0x132 | data | English | United States |
RT_STRING | 0xf448 | 0x150 | data | French | France |
RT_STRING | 0xf598 | 0xd8 | data | Japanese | Japan |
RT_VERSION | 0xf670 | 0x3b0 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | ReleaseMutex, WaitForSingleObjectEx, CreateThread, Sleep, lstrlenA, FindFirstFileA, FindNextFileA, FindClose, RemoveDirectoryA, CreateMutexA, ExitProcess, GetCurrentProcess, UnhandledExceptionFilter, FlushFileBuffers, ReadFile, CloseHandle, LoadLibraryA, GetProcAddress, SetStdHandle, HeapReAlloc, VirtualAlloc, GetStringTypeW, GetStringTypeA, SetFilePointer, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, DeleteFileA, GetCPInfo, GetACP, GetOEMCP, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, HeapAlloc, HeapFree, TerminateProcess, GetLastError, GetFileType, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, WriteFile |
USER32.dll | SendMessageA, SetDlgItemTextA, MessageBoxA, EndDialog, LoadStringA, DialogBoxParamA |
ADVAPI32.dll | RegOpenKeyExA, RegEnumKeyExA, RegEnumValueA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA |
Msi.dll |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
RFL_RegSetBinary | 2 | 0x401aa0 |
_RFL_RegGetBinary@20 | 1 | 0x401a70 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2002-2017. All Rights Reserved. |
InternalName | WinNestInst |
FileVersion | 17.5.0.170 |
CompanyName | National Instruments |
PrivateBuild | |
LegalTrademarks | |
Comments | |
ProductName | National Instruments UM Satellite |
SpecialBuild | |
ProductVersion | 17.5.0 |
FileDescription | WinNestInst |
OriginalFilename | WinNestInst.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States | |
German | Germany | |
French | France | |
Japanese | Japan |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:41:14 |
Start date: | 14/10/2021 |
Path: | C:\Users\user\Desktop\niPie.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73664 bytes |
MD5 hash: | 601FDA01EFB1A22E18A19793158B51FE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 08:41:17 |
Start date: | 14/10/2021 |
Path: | C:\Users\user\Desktop\niPie.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73664 bytes |
MD5 hash: | 601FDA01EFB1A22E18A19793158B51FE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 08:41:19 |
Start date: | 14/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd00000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:41:19 |
Start date: | 14/10/2021 |
Path: | C:\Users\user\Desktop\niPie.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73664 bytes |
MD5 hash: | 601FDA01EFB1A22E18A19793158B51FE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 2.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 6.3% |
Total number of Nodes: | 617 |
Total number of Limit Nodes: | 17 |
Graph
Executed Functions |
---|
Function 00401C60, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 232COMMON
Control-flow Graph |
---|
C-Code - Quality: 34% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404DA5, Relevance: 4.5, APIs: 3, Instructions: 49COMMON
Control-flow Graph |
---|
C-Code - Quality: 74% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040578C, Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404C79, Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 60% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 00402100, Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 389registryCOMMONCrypto
Control-flow Graph |
---|
C-Code - Quality: 76% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407AB8, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
Control-flow Graph |
---|
C-Code - Quality: 46% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401460, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101fileCOMMON
Control-flow Graph |
---|
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401590, Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 255registryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401000, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 253registryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 79% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025F0, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 273registryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 80% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 52% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403E2C, Relevance: 13.7, APIs: 9, Instructions: 177COMMON
Control-flow Graph |
---|
C-Code - Quality: 61% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059F5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
Control-flow Graph |
---|
C-Code - Quality: 96% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040533A, Relevance: 12.1, APIs: 8, Instructions: 132COMMON
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401300, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113registryfileCOMMON
Control-flow Graph |
---|
C-Code - Quality: 81% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registrystringCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406005, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040546C, Relevance: 7.6, APIs: 5, Instructions: 143COMMON
C-Code - Quality: 99% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407F8B, Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BE2, Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D93, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
C-Code - Quality: 81% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406B96, Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |