NisSrv[.]exe[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

NisSrv.exe.7z
Size

933KB
MD5

94d1e5439686696bf4b84aa27c5fbf85
SHA1

a49991c3b7bae9b0cc9a41614447691be45c2fc0
SHA256

c583ef183289196bbe07d9be33ba20de0a333533b8255e77ad2e4ce1b41dc605
SHA512

6c0c768620509305b6d0c0251a83fac621591f83759fb15477bcd98917835863a94b3c5731e7d3d0e96081673f8bd3d1a15facaddb70422d17dfd818811d79ae
SSDEEP

24576:OXsxFH9RMESkTRdspN6OXsMn5StTVKSjZWnQdd58hG8Ey1pJdJtD70mr:KsxyhQRdcN6alsx51RsPFBXtDIm

Score

N/A

Malware Config

Signatures

Files

NisSrv.exe.7z
.7z

Password: infected
NisSrv.exe
.exe windows x64

778bba2dbc350a65a6653eab295c9cba

Code Sign

33:00:00:03:6b:6f:36:00:6f:23:f1:68:b5:00:00:00:00:03:6b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27/01/2022, 19:31

Not After

26/01/2023, 19:31

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cd:86:93:64:76:8b:01:cc:6c:87:34:0c:8c:17:27:2f:af:7d:f6:20:e9:15:4d:6d:b9:4b:f1:b7:fd:cc:b7:57
Signer

Actual PE Digest

cd:86:93:64:76:8b:01:cc:6c:87:34:0c:8c:17:27:2f:af:7d:f6:20:e9:15:4d:6d:b9:4b:f1:b7:fd:cc:b7:57

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

28/11/2022, 11:52
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-runtime-l1-1-0

_cexit
__p___wargv
exit
_invalid_parameter_noinfo
_c_exit
_seh_filter_exe
_set_app_type
abort
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_beginthreadex
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initterm_e
terminate
_invalid_parameter_noinfo_noreturn
_errno
__p___argc
_register_thread_local_exe_atexit_callback
_exit

api-ms-win-crt-stdio-l1-1-0

_wfsopen
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
fwrite
_fsopen
fgetc
fflush
__stdio_common_vsprintf
_wfopen
feof
fgetws
fclose
fputc
__stdio_common_vsnwprintf_s
fseek
__stdio_common_vswprintf
__stdio_common_vsnprintf_s
__stdio_common_vswprintf_s
_set_fmode
__p__commode
__stdio_common_vsprintf_s

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
_malloc_base
_calloc_base
_recalloc
calloc
free
_set_new_mode
_free_base
realloc

api-ms-win-crt-convert-l1-1-0

wcstod
strtol
strtof
wcstol
strtoll
_itow_s
_wcstod_l
_ui64tow_s
_i64tow_s
wcstoll
wcstoull
_i64toa_s
_ui64toa_s
strtod

api-ms-win-crt-string-l1-1-0

toupper
_wcsicmp
strcpy_s
strnlen
wcsnlen
iswspace
isalpha
iswalpha
isdigit
iswdigit
iswxdigit
islower
iswlower
wcsncpy_s
tolower
towlower
towupper
wcscmp
iswupper
strncmp
isspace
_wcsdup
isupper
strcspn
__strncnt

api-ms-win-crt-locale-l1-1-0

___lc_locale_name_func
setlocale
_create_locale
_free_locale
_lock_locales
___lc_collate_cp_func
___mb_cur_max_func
localeconv
_configthreadlocale
___lc_codepage_func
__pctype_func
_unlock_locales

advapi32

OpenSCManagerW
RegSetKeyValueW
RegOpenCurrentUser
RegGetValueW
RevertToSelf
SetThreadToken
DuplicateTokenEx
CloseServiceHandle
ImpersonateLoggedOnUser
StartServiceW
TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus
EventRegister
EventUnregister
EventWriteTransfer
RegQueryValueExW
OpenServiceW

kernel32

WaitForThreadpoolIoCallbacks
CreateThreadpoolIo
StartThreadpoolIo
QueryUnbiasedInterruptTime
QueryFullProcessImageNameW
OpenProcess
DuplicateHandle
GetProcessId
VerifyVersionInfoW
GetLongPathNameW
QueryProcessCycleTime
GlobalFree
GetThreadPreferredUILanguages
GetModuleHandleA
GetUserPreferredUILanguages
GetSystemPreferredUILanguages
UnmapViewOfFile
GetSystemInfo
GetVersionExW
CreateMutexW
CancelThreadpoolIo
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer
MultiByteToWideChar
CloseThreadpool
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
CreateThreadpool
SetThreadpoolThreadMaximum
CreateThreadpoolWork
SubmitThreadpoolWork
GetSystemTime
SystemTimeToFileTime
RaiseException
FreeLibrary
LoadLibraryExW
lstrcmpiW
LeaveCriticalSection
EnterCriticalSection
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
InitializeCriticalSection
DeleteCriticalSection
HeapSetInformation
CreateEventW
SetEvent
TerminateProcess
GetCurrentProcess
SwitchToFiber
ConvertFiberToThread
IsThreadAFiber
ConvertThreadToFiber
CreateFiberEx
DeleteFiber
WideCharToMultiByte
GetSystemTimeAsFileTime
CreateFileW
SetErrorMode
QueryPerformanceFrequency
QueryPerformanceCounter
FormatMessageA
Sleep
SwitchToThread
InitializeSRWLock
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
SleepConditionVariableSRW
RtlPcToFileHeader
ReleaseSRWLockShared
AcquireSRWLockShared
LocalFree
InitOnceComplete
CreateDirectoryW
GetFileInformationByHandleEx
FindFirstFileExW
FindNextFileW
DeviceIoControl
FindClose
GetFileAttributesW
GetFileAttributesExW
SetFileInformationByHandle
MoveFileExW
CopyFileW
InitOnceBeginInitialize
InitializeCriticalSectionEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
ResetEvent
InitializeSListHead
RtlUnwindEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
GetProcessTimes
CancelIoEx
ExpandEnvironmentStringsW
GetOverlappedResult
CloseThreadpoolIo
GetSystemDirectoryW
CreateFileMappingW
MapViewOfFile
CompareStringEx
GetLocaleInfoEx
LCMapStringEx
DecodePointer
GetStringTypeW
DelayLoadFailureHook
LoadLibraryExA
GetFileSizeEx

user32

UnregisterClassA
CharNextW

ntdll

VerSetConditionMask
RtlIpv6StringToAddressExW
NtQueryInformationProcess
RtlIpv4StringToAddressExW

mpclient

MpUtilsExportFunctions
MpClientUtilExportFunctions
MpConfigInitialize
MpManagerOpen
MpNotificationRegister
MpHandleClose
MpConfigGetValueAlloc
MpFreeMemory
MpConfigClose
MpConfigUninitialize
MpConfigOpen

api-ms-win-crt-math-l1-1-0

pow
ldexp
log2
ceil
frexp
ceilf
powf

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-utility-l1-1-0

rand_s

Sections

.text
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 348KB - Virtual size: 346KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 44KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 92KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

778bba2dbc350a65a6653eab295c9cba

Code Sign

33:00:00:03:6b:6f:36:00:6f:23:f1:68:b5:00:00:00:00:03:6bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

cd:86:93:64:76:8b:01:cc:6c:87:34:0c:8c:17:27:2f:af:7d:f6:20:e9:15:4d:6d:b9:4b:f1:b7:fd:cc:b7:57Signer

Signature Validations

Verification

28/11/2022, 11:52 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

advapi32

kernel32

user32

ntdll

mpclient

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 2.5MB - Virtual size: 2.5MB

.rdata Size: 348KB - Virtual size: 346KB

.data Size: 44KB - Virtual size: 111KB

.pdata Size: 92KB - Virtual size: 91KB

.didat Size: 4KB - Virtual size: 512B

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 16KB - Virtual size: 12KB

33:00:00:03:6b:6f:36:00:6f:23:f1:68:b5:00:00:00:00:03:6b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

cd:86:93:64:76:8b:01:cc:6c:87:34:0c:8c:17:27:2f:af:7d:f6:20:e9:15:4d:6d:b9:4b:f1:b7:fd:cc:b7:57
Signer

28/11/2022, 11:52
Valid: false

.text
Size: 2.5MB - Virtual size: 2.5MB

.rdata
Size: 348KB - Virtual size: 346KB

.data
Size: 44KB - Virtual size: 111KB

.pdata
Size: 92KB - Virtual size: 91KB

.didat
Size: 4KB - Virtual size: 512B

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 16KB - Virtual size: 12KB