Windows
Analysis Report
NisSrv.exe
Overview
General Information
Detection
Score: | 16 |
Range: | 0 - 100 |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
NisSrv.exe (PID: 7372 cmdline:
"C:\Users\ user\Deskt op\NisSrv. exe" MD5: 3CF93D16B6017B5D0A31E384D48EB89C) conhost.exe (PID: 7380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
System Summary |
---|
Source: | Author: Bhabesh Raj: |
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF76E19C850 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1657480 |
Start date and time: | 2025-04-06 01:43:25 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | NisSrv.exe |
Detection: | CLEAN |
Classification: | clean16.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, SIHClient.exe, Sgrm Broker.exe, conhost.exe, svcho st.exe - Excluded IPs from analysis (wh
itelisted): 184.31.69.3, 131.2 53.33.254, 52.149.20.212 - Excluded domains from analysis
(whitelisted): a-ring-fallbac k.msedge.net, fs.microsoft.com , slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki .goog, fe3cr.delivery.mp.micro soft.com - Execution Graph export aborted
for target NisSrv.exe, PID 73 72 because there are no execut ed function - Not all processes where analyz
ed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.454526587237915 |
TrID: |
|
File name: | NisSrv.exe |
File size: | 4'464'024 bytes |
MD5: | 3cf93d16b6017b5d0a31e384d48eb89c |
SHA1: | 29eb619c155feaa277e8d71a14607b3917e909e5 |
SHA256: | dfdf0c9bb0d99e10e9b956c300b0b490ff4c9fc869e60b1e199b5d2106762a4c |
SHA512: | 73cb294c8102bead16519307c6dff73f75404c114cb3c85be048d7a9b806f359df8fae1e9f9b90f50ba489aff0b026295d5514df1e535e26de915cb49494c447 |
SSDEEP: | 49152:t2Fs2Wjg5CAc1J0Y2412yd33uFITQ81ZfZeUjCMdQUhIfKId4wbrrb0KhQ:oc/4y5ZTwTk |
TLSH: | C4265B16B25841D9C0B9E0B49E07CD4BE772BC15033467DB12E6D7A61F976A0AEBF320 |
File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................................................................................................k............S..... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14028c1c0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6029A04E [Sun Feb 14 22:12:30 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | bc85e0cb532ab955ea1c7283fd00b0d9 |
Signature Valid: | true |
Signature Issuer: | CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 08D42E39BA357588E8330A0E9D046097 |
Thumbprint SHA-1: | 48B2486F389C9927957299BDFD24C2ABEF9D15DB |
Thumbprint SHA-256: | B788F393B79D36CE5E87CB36B2EB5044788AE2E4B61FE081EC2B109361D0C831 |
Serial: | 33000004C8517D2E95BDD588BE0000000004C8 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F8A488286CCh |
dec eax |
add esp, 28h |
jmp 00007F8A48827EAFh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F8A48827700h |
jmp 00007F8A48828044h |
xor eax, eax |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
jmp 00007F8A488276F0h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
dec ebp |
mov eax, dword ptr [ecx+38h] |
dec eax |
mov ecx, edx |
dec ecx |
mov edx, ecx |
call 00007F8A48828052h |
mov eax, 00000001h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
inc ebp |
mov ebx, dword ptr [eax] |
dec eax |
mov ebx, edx |
inc ecx |
and ebx, FFFFFFF8h |
dec esp |
mov ecx, ecx |
inc ecx |
test byte ptr [eax], 00000004h |
dec esp |
mov edx, ecx |
je 00007F8A48828055h |
inc ecx |
mov eax, dword ptr [eax+08h] |
dec ebp |
arpl word ptr [eax+04h], dx |
neg eax |
dec esp |
add edx, ecx |
dec eax |
arpl ax, cx |
dec esp |
and edx, ecx |
dec ecx |
arpl bx, ax |
dec edx |
mov edx, dword ptr [eax+edx] |
dec eax |
mov eax, dword ptr [ebx+10h] |
mov ecx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [ebx+08h] |
test byte ptr [ecx+eax+03h], 0000000Fh |
je 00007F8A4882804Dh |
movzx eax, byte ptr [ecx+eax+03h] |
and eax, FFFFFFF0h |
dec esp |
add ecx, eax |
dec esp |
xor ecx, edx |
dec ecx |
mov ecx, ecx |
pop ebx |
jmp 00007F8A4882752Ah |
int3 |
dec eax |
mov eax, esp |
dec eax |
mov dword ptr [eax+08h], ebx |
dec eax |
mov dword ptr [eax+10h], ebp |
dec eax |
mov dword ptr [eax+18h], esi |
dec eax |
mov dword ptr [eax+20h], edi |
inc ecx |
push esi |
dec eax |
sub esp, 20h |
dec ecx |
mov ebx, dword ptr [ecx+00h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x374f20 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x443000 | 0x8b8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x428000 | 0x194a0 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x436000 | 0xbd98 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x444000 | 0x6800 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2fed00 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x2fef00 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2e1e20 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2cf000 | 0x7d8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x374460 | 0x160 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2cd8ac | 0x2ce000 | 10269414bc4e701b24fdbfe7c32b9a2b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2cf000 | 0xa7b02 | 0xa8000 | bb657c0f55e76664be898c2e3c7ca4e5 | False | 0.35851905459449407 | SysEx File - | 4.9552422031375505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x377000 | 0xb0f3c | 0x9c000 | 8f0a70827227be3370716508bc6dd8c9 | False | 0.08099991235977565 | DIY-Thermocam raw data (Lepton 3.x), scale 28798-11584, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.013077 | 5.004333189303513 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x428000 | 0x194a0 | 0x1a000 | d9bc8caa47e9e0541d220fee18a37ef0 | False | 0.48617788461538464 | data | 6.058445714623236 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.didat | 0x442000 | 0x1f0 | 0x1000 | c0839647f372b7373930d4bbeb3a99fa | False | 0.047607421875 | data | 0.5916261922176167 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x443000 | 0x8b8 | 0x1000 | dc5ac082f1177e6924182bd876d5e2bb | False | 0.260498046875 | data | 3.035924662902366 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x444000 | 0x6800 | 0x7000 | e9be992d5431031e89267895dded3574 | False | 0.18300083705357142 | data | 5.308315749634968 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x4430a0 | 0x458 | data | English | United States | 0.46672661870503596 |
RT_MANIFEST | 0x4434f8 | 0x3ba | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (894), with CRLF line terminators | English | United States | 0.510482180293501 |
DLL | Import |
---|---|
MpClient.dll | MpFreeMemory, MpManagerOpen, MpNotificationRegister, MpHandleClose, MpConfigGetValueAlloc, MpConfigClose, MpConfigOpen, MpClientUtilExportFunctions, MpConfigInitialize, MpUtilsExportFunctions, MpConfigUninitialize |
ntdll.dll | RtlIpv4StringToAddressExW, RtlIpv6StringToAddressExW, VerSetConditionMask, RtlPcToFileHeader, RtlCaptureContext, RtlUnwind, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlUnwindEx |
KERNEL32.dll | DeleteFiber, GetModuleFileNameA, CreateSemaphoreExW, HeapFree, SetLastError, ReleaseSemaphore, ReleaseMutex, OpenSemaphoreW, HeapAlloc, DecodePointer, CreateMutexExW, GetCurrentProcessId, DebugBreak, GetSystemTimeAsFileTime, CreateFileW, GetLocaleInfoW, DeviceIoControl, FindFirstFileW, FindNextFileW, FindClose, GetFileAttributesW, GetProcessTimes, QueryProcessCycleTime, GetLongPathNameW, GetProcessId, DuplicateHandle, OpenProcess, QueryFullProcessImageNameW, QueryUnbiasedInterruptTime, StartThreadpoolIo, CreateThreadpoolIo, WaitForThreadpoolIoCallbacks, CancelThreadpoolIo, CancelIoEx, GetOverlappedResult, CloseThreadpoolIo, InitializeSRWLock, TryAcquireSRWLockExclusive, ReleaseSRWLockExclusive, ConvertFiberToThread, ReleaseSRWLockShared, AcquireSRWLockShared, GetExitCodeProcess, InitializeCriticalSection, ResetEvent, GetModuleHandleA, GlobalFree, VerifyVersionInfoW, ExpandEnvironmentStringsW, Sleep, LocalFree, SwitchToThread, FormatMessageA, GetTickCount64, GetSystemDirectoryW, VirtualQuery, GetProcessMitigationPolicy, SetProcessMitigationPolicy, InitializeCriticalSectionAndSpinCount, CreateFiberEx, WriteFile, SetFilePointerEx, GetFileSizeEx, ReadFile, FindFirstFileExW, CreateDirectoryW, SetEnvironmentVariableW, CreateFileMappingW, MapViewOfFile, GetFileInformationByHandle, QueryPerformanceFrequency, FlsAlloc, WideCharToMultiByte, SwitchToFiber, GetCurrentProcess, TerminateProcess, WaitForSingleObject, WaitForSingleObjectEx, SetEvent, CreateEventW, GetProcessHeap, HeapSetInformation, DeleteCriticalSection, InitializeCriticalSectionEx, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, EnterCriticalSection, LeaveCriticalSection, lstrcmpiW, GetModuleHandleW, GetProcAddress, FreeLibrary, CloseHandle, RaiseException, SystemTimeToFileTime, GetSystemTime, SubmitThreadpoolWork, CreateThreadpoolWork, SetThreadpoolThreadMaximum, CreateThreadpool, CloseThreadpoolWork, WaitForThreadpoolWorkCallbacks, CloseThreadpool, MultiByteToWideChar, GetLastError, IsDebuggerPresent, GetCurrentThreadId, OutputDebugStringW, CreateThreadpoolTimer, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, FormatMessageW, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, SetErrorMode, GetModuleFileNameW, GetModuleHandleExW, RemoveVectoredExceptionHandler, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapSize, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadConsoleW, SetEndOfFile, WriteConsoleW, UnmapViewOfFile, GetSystemInfo, VirtualProtect, LoadLibraryExA, ConvertThreadToFiber, IsThreadAFiber, GetVersionExW, CreateMutexW, AcquireSRWLockExclusive, HeapReAlloc, GetFileType, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetOEMCP, GetACP, IsValidCodePage, FreeLibraryAndExitThread, ExitThread, CreateThread, SetConsoleCtrlHandler, GetLocaleInfoEx, GetThreadPreferredUILanguages, GetUserPreferredUILanguages, GetSystemPreferredUILanguages, QueryPerformanceCounter, SleepConditionVariableSRW, WakeConditionVariable, WakeAllConditionVariable, InitOnceComplete, InitOnceBeginInitialize, GetFileAttributesExW, SetFileInformationByHandle, AreFileApisANSI, CopyFileW, MoveFileExW, GetFileInformationByHandleEx, GetStringTypeW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree |
ADVAPI32.dll | RegSetKeyValueW, RegOpenCurrentUser, RegGetValueW, ImpersonateLoggedOnUser, CloseServiceHandle, OpenSCManagerW, StartServiceW, OpenServiceW, RevertToSelf, SetThreadToken, DuplicateTokenEx, RegQueryValueExW, SetServiceStatus, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, TraceMessage, EventWriteTransfer, EventRegister, EventUnregister |
USER32.dll | CharNextW |
DNSAPI.dll | DnsQuery_W, DnsFree |
Description | Data |
---|---|
CompanyName | Microsoft Corporation |
FileDescription | Microsoft Network Realtime Inspection Service |
InternalName | NisSrv.exe |
LegalCopyright | Microsoft Corporation. All rights reserved. |
OriginalFilename | NisSrv.exe |
ProductName | Microsoft Windows Operating System |
FileVersion | 4.18.25020.1009 (f9825cc40e26f897bbd18abcfcc53873f7599597) |
ProductVersion | 4.18.25020.1009 |
PrivateBuild | GitEnlistment(ContainerAdministrator) |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 19:44:23 |
Start date: | 05/04/2025 |
Path: | C:\Users\user\Desktop\NisSrv.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff76df10000 |
File size: | 4'464'024 bytes |
MD5 hash: | 3CF93D16B6017B5D0A31E384D48EB89C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 19:44:23 |
Start date: | 05/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62fc20000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|