Windows Analysis Report
NisSrv.exe

Overview

General Information

Sample name: NisSrv.exe
Analysis ID: 1657480
MD5: 3cf93d16b6017b5d0a31e384d48eb89c
SHA1: 29eb619c155feaa277e8d71a14607b3917e909e5
SHA256: dfdf0c9bb0d99e10e9b956c300b0b490ff4c9fc869e60b1e199b5d2106762a4c
Tags: exesideloadinguser-vertos
Infos:

Detection

Score: 16
Range: 0 - 100
Confidence: 80%

Signatures

Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: NisSrv.exe Static PE information: certificate valid
Source: NisSrv.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: NisSrv.pdb source: NisSrv.exe
Source: NisSrv.exe String found in binary or memory: http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F
Source: NisSrv.exe String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: NisSrv.exe String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: NisSrv.exe String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Sample file is different than original file name gathered from version info
Source: NisSrv.exe Binary or memory string: OriginalFilename vs NisSrv.exe
Source: classification engine Classification label: clean16.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: NisSrv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NisSrv.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NisSrv.exe "C:\Users\user\Desktop\NisSrv.exe"
Source: C:\Users\user\Desktop\NisSrv.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NisSrv.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\Desktop\NisSrv.exe Section loaded: dnsapi.dll Jump to behavior
Source: NisSrv.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: NisSrv.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: NisSrv.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: NisSrv.exe Static file information: File size 4464024 > 1048576
Source: NisSrv.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ce000
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: NisSrv.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: NisSrv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NisSrv.pdb source: NisSrv.exe
Source: NisSrv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NisSrv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NisSrv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NisSrv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NisSrv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: NisSrv.exe Static PE information: section name: .didat
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NisSrv.exe Code function: 0_2_00007FF76E19C850 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF76E19C850
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1657480 Sample: NisSrv.exe Startdate: 06/04/2025 Architecture: WINDOWS Score: 16 10 Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries 2->10 6 NisSrv.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos