nssm.exe
This report is generated from a file or URL submitted to this webservice on September 19th 2019 23:51:21 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
-
8cd5fe5d91db00b0dd11711c5e1cc906f570992146fdef4203a43756ce28bd60
c8ed4a7543ddb98b75b33fc26c0b20584f32f53f7531ac44b90fae4b04a25aa6 - Associated URLs
-
hxxp://102.130.112.157/dom.zip
hxxp://102.130.112.157/dom-6.zip
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
3/19 Antivirus vendors marked sample as malicious (15% detection rate)
8/68 Antivirus vendors marked sample as malicious (11% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Contains ability to modify user account rights
- details
-
LsaAddAccountRights@ADVAPI32.dll (Show Stream)
LsaAddAccountRights@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Contains ability to modify user account rights
-
Suspicious Indicators 8
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.dll (Show Stream)
ControlService@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Launches the WMI Provider Host
- details
-
Found process "WmiPrvSE.exe" (Show Process)
Found process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open/control a service
-
Environment Awareness
-
Contains ability to enumerate services
- details
-
EnumServicesStatusExW@ADVAPI32.dll (Show Stream)
EnumServicesStatusExW@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 7/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate services
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes/modules/threads
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
RegOpenKeyExW
CreateServiceW
RegDeleteValueW
StartServiceW
StartServiceCtrlDispatcherW
FindResourceExW
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
CreateThread
TerminateProcess
CreateToolhelp32Snapshot
LoadLibraryW
GetTickCount
LoadLibraryA
GetStartupInfoA
OpenProcess
GetProcAddress
GetComputerNameW
CreateFileW
CreateFileA
Process32NextW
GetCommandLineW
Process32FirstW
GetModuleHandleW
WriteFile
CreateProcessW
Sleep
GetModuleFileNameExW
ShellExecuteExW
GetWindowThreadProcessId - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "nssm.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream)
GetSystemTime@KERNEL32.DLL from nssm.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Creates mutants
- details
- "\BaseNamedObjects\DSKQUOTA_SIDCACHE_MUTEX"
- source
- Created Mutant
- relevance
- 3/10
-
Spawns new processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Connects to LPC ports
- details
- "nssm.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"nssm.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"nssm.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"nssm.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
- Pattern match: "http://nssm.cc/"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"nssm.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\NSSM")
"nssm.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\NSSM"; Key: "EVENTMESSAGEFILE"; Value: "C:\nssm.exe")
"nssm.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\NSSM"; Key: "TYPESSUPPORTED"; Value: "07000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "nssm.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
File Details
nssm.exe
- Filename
- nssm.exe
- Size
- 360KiB (368640 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- Architecture
- WINDOWS
- SHA256
- eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
- MD5
- 1136efb1a46d1f2d508162387f30dc4d
- SHA1
- f280858dcfefabc1a9a006a57f6b266a5d1fde8e
- ssdeep
- 6144:0I6VyDGb+HiFr4kchE18dkuCj7jLwcYBQarDosNXJ:0IJDGb+Hiu9hE18dkxfdsNXJ
- imphash
- 486303637bc6ec8cd38f2967cc02503d
- authentihash
- 3083527c30c541b4ff4498e98b15c493eef7ba8c5193ffdc842f252ddc892132
Version Info
- LegalCopyright
- Public Domain; Author Iain Patterson 2003-2017
- FileVersion
- 2.24-101-g897c7ad
- CompanyName
- Iain Patterson
- Comments
- http://nssm.cc/
- ProductName
- NSSM 64-bit
- ProductVersion
- 2.24-101-g897c7ad
- FileDescription
- The non-sucking service manager
- OriginalFileName
- nssm.exe
- Translation
- 0x0410 0x04b0
Classification (TrID)
- 82.0% (.EXE) Win64 Executable (generic)
- 6.0% (.EXE) OS/2 Executable (generic)
- 5.9% (.EXE) Generic Win/DOS Executable
- 5.9% (.EXE) DOS Executable Generic
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 9.00 (Visual Studio 2008) (build: 30729)
- 1 .RES Files linked with CVTRES.EXE 9.00 (Visual Studio 2008) (build: 21022)
- 61 .CPP Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 30729)
- 15 .LIB Files generated with LIB.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 10 .ASM Files assembled with MASM 9.00 (Visual Studio 2008) (build: 30729)
- 107 .C Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 30729)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (61 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
nssm.exe
(PID: 3532)
11/79
- WmiPrvSE.exe (PID: 2452)
- WmiPrvSE.exe (PID: 1884)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
Community
Jong commented 4 years ago updated
Anonymous commented 3 years ago updated
Anonymous commented 5 months ago updated