NisSrv[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

NisSrv.exe
Size

265KB
MD5

1de903c9d0e9567f951212604462539b
SHA1

a4bfff62066d16a7103f8bad987496b043af4982
SHA256

364d9a067f526c969177a4bd86c7c581d6494d1f509e0ef7b80a5a2931d92624
SHA512

439e5e4d528cf4ba20f1babef1d8f536e8b253a6fb6ba60609f7cacdc9509535c72b16d8485293137409b860788457d125ea7e1bd6d0fe82dc811aeeae3fe701
SSDEEP

6144://wMzBTX5a1Jfq7877hG12ThYlx+tO4h98QeAPPxwY2jy+n4r://wMzxXoDhSmreAPJYyo

Score

1^/10

Malware Config

Signatures

Files

NisSrv.exe
.exe windows:10 windows x86

c37e3de78bd3d94143d5236336518c48

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/02/2016, 01:25

Not After

12/05/2017, 01:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ff:1d:57:3e:4d:45:d3:88:fc:41:1f:7f:45:5e:56:2b:a8:6c:f4:f7:06:a2:2e:17:be:f3:ab:f4:4b:fb:08:cc
Signer

Actual PE Digest

ff:1d:57:3e:4d:45:d3:88:fc:41:1f:7f:45:5e:56:2b:a8:6c:f4:f7:06:a2:2e:17:be:f3:ab:f4:4b:fb:08:cc

Digest Algorithm

sha256

PE Digest Matches

true

f4:72:46:18:4e:a0:b5:16:d1:4b:49:6f:f1:dc:78:eb:5c:01:54:84
Signer

Actual PE Digest

f4:72:46:18:4e:a0:b5:16:d1:4b:49:6f:f1:dc:78:eb:5c:01:54:84

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
TraceEvent
UnregisterTraceGuids
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
StartServiceCtrlDispatcherW
IsValidSid
GetLengthSid
CopySid
ConvertSidToStringSidW
LookupAccountSidW

kernel32

InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetProcessId
GetCurrentProcess
FreeLibrary
LoadLibraryExW
GetLastError
LeaveCriticalSection
RaiseException
EnterCriticalSection
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
InitializeCriticalSection
CreateTimerQueueTimer
SetProcessWorkingSetSize
CloseHandle
Sleep
DeviceIoControl
CreateSemaphoreW
WaitForSingleObject
ReleaseSemaphore
SetEvent
CreateEventW
ResetEvent
ExpandEnvironmentStringsW
LocalFree
QueryDosDeviceW
SetErrorMode
DeleteTimerQueueTimer
HeapDestroy
HeapSetInformation
HeapCreate
GetModuleHandleW
GetProcAddress
GetVersionExW
lstrcmpiW
VerifyVersionInfoW
GetFileSizeEx
ReadFile
SwitchToThread
GetNativeSystemInfo
GetSystemDirectoryW
GetFileAttributesW

msvcrt

_ftol2
__RTDynamicCast
??3@YAXPAX@Z
??_V@YAXPAX@Z
memmove
_purecall
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_except_handler4_common
_controlfp
realloc
_errno
??1type_info@@UAE@XZ
_onexit
__dllonexit
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_unlock
_lock
memcpy
__CxxFrameHandler3
_CxxThrowException
??0exception@@QAE@ABQBD@Z
_callnewh
_vsnwprintf
memcmp
_wcsicmp
wcschr
_beginthreadex
_wfopen
towlower
fclose
iswspace
fgetws
feof
memset
_wcsnicmp
ldiv
memcpy_s
free
malloc
wcsncpy_s
_vsnprintf
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ

nislog

NisLogOnServiceStart
NisLogSPrintfW
NisLogWrite
NisLogCleanup
NisLogOnParseError
NisLogOnSignatureEntry
NisLogInitialize

user32

UnregisterClassA
CharNextW

oleaut32

SysFreeString
SysAllocStringLen
SysStringByteLen
SysStringLen
SysAllocStringByteLen
SysAllocString
VarUI4FromStr
VarBstrCat

ole32

CoInitializeEx
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoCreateInstance
CoUninitialize
IIDFromString
CoRevokeClassObject

mpclient

MpUtilsExportFunctions
MpHandleClose
MpManagerOpen
MpTelemetryAddToAverageDWORD
MpTelemetrySetIfMaxDWORD
MpConfigClose
MpConfigIteratorClose
MpAllocMemory
MpConfigIteratorEnum
MpConfigIteratorOpen
MpConfigGetValueAlloc
MpConfigGetValue
MpConfigOpen
MpTelemetrySetDWORD
MpTelemetrySetString
MpFreeMemory
MpClientUtilExportFunctions
MpConfigUninitialize
MpTelemetryUninitialize
MpConfigInitialize
MpNotificationRegister
MpTelemetryIncrementDWORD
MpTelemetryInitialize

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime
VerSetConditionMask

api-ms-win-core-synch-l1-2-0

WaitForSingleObjectEx
InitializeCriticalSectionEx
CreateEventA

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetModuleHandleA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-memory-l1-1-2

MapViewOfFile
UnmapViewOfFile
CreateFileMappingW

api-ms-win-core-handle-l1-1-0

DuplicateHandle

api-ms-win-core-libraryloader-l1-2-2

LoadLibraryW
LoadLibraryA

api-ms-win-core-heap-l1-2-0

GetProcessHeap

api-ms-win-core-registry-l1-1-0

RegOpenKeyExA
RegQueryValueExW
RegQueryValueExA
RegNotifyChangeKeyValue

api-ms-win-service-core-l1-1-1

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-file-l1-2-1

CompareFileTime
CreateFileW

crypt32

CertVerifyCertificateChainPolicy

wintrust

CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
WinVerifyTrust

api-ms-win-core-version-l1-1-0

VerQueryValueW

Exports

Exports

?GetHashPrime@@YGKK@Z
?RatCleanup@@YGHXZ
?RatDllAttach@@YGXXZ
?RatDllDetach@@YGXXZ
?RatFindFlag@@YGPAKKPBD@Z
?RatInitialize@@YGJXZ
?RatReloadSymbols@@YGXXZ
?RatSetUngracefulProcessTermination@@YGXXZ
?RatWaitForSingleObject@@YGKPAXKK@Z

Sections

.text
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c37e3de78bd3d94143d5236336518c48

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9dCertificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6aCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

ff:1d:57:3e:4d:45:d3:88:fc:41:1f:7f:45:5e:56:2b:a8:6c:f4:f7:06:a2:2e:17:be:f3:ab:f4:4b:fb:08:ccSigner

f4:72:46:18:4e:a0:b5:16:d1:4b:49:6f:f1:dc:78:eb:5c:01:54:84Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

nislog

user32

oleaut32

ole32

mpclient

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-core-heap-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-service-core-l1-1-1

api-ms-win-core-file-l1-2-1

crypt32

wintrust

api-ms-win-core-version-l1-1-0

Exports

Exports

Sections

.text Size: 204KB - Virtual size: 204KB

.data Size: 11KB - Virtual size: 12KB

.idata Size: 7KB - Virtual size: 6KB

.rsrc Size: 6KB - Virtual size: 5KB

.reloc Size: 16KB - Virtual size: 15KB

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6a
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

ff:1d:57:3e:4d:45:d3:88:fc:41:1f:7f:45:5e:56:2b:a8:6c:f4:f7:06:a2:2e:17:be:f3:ab:f4:4b:fb:08:cc
Signer

f4:72:46:18:4e:a0:b5:16:d1:4b:49:6f:f1:dc:78:eb:5c:01:54:84
Signer

.text
Size: 204KB - Virtual size: 204KB

.data
Size: 11KB - Virtual size: 12KB

.idata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 6KB - Virtual size: 5KB

.reloc
Size: 16KB - Virtual size: 15KB