Advice Request Found a PUP: C:\Windows\n.exe

SeriousHoax · Dec 1, 2020

This morning all on a sudden I was notified by WD with this detection for a file in the Windows folder.
C:\Windows\n.exe

This is the sample: VirusTotal

Thankfully it's not a malware, it's a PUP/Riskware which probably hide file attributes.
The relation chart on VT shows relation to uTorrent, KMS and some other unknown setup files. I'm not using any of those program on my system nor any cracked program. Have no idea how it came to be.
After deleting this is what WD shows as affected items.

Ignore the second one in K: directory because I manually copied it there to keep a copy of the sample.
So the affected items are:

"C:\Windows\n.exe"
"file: \\localhost\C$\Windows\n.exe"

I don't know what the last one means. Anyone knows anything about this PUP?

roger_m · Dec 2, 2020

I suggest you upload it to VirusTotal and post a link.

Venustus · Dec 2, 2020

I just searched my Win folder..Turns out I also have n.exe...

As soon as I tried accessing the file Norton removed it.
Thanks for the heads up!!

VT Link

harlan4096 · Dec 2, 2020

It seems just the NirSoft tool:

NirCmd - Windows command line tool

NirCmd is a small utility that allows you to do many useful tasks from command-line, without displaying any user interface: change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more...

www.nirsoft.net

SeriousHoax · Dec 2, 2020

harlan4096 said:
It seems just the NirSoft tool:

NirCmd - Windows command line tool

NirCmd is a small utility that allows you to do many useful tasks from command-line, without displaying any user interface: change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more...

www.nirsoft.net

Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application

Freud2004 · Dec 2, 2020

SeriousHoax said:
Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application

Maybe this one (COMODO RSA):

Vendor and version information [?]

The following is the available information on n.exe:

Product version	1.0.0.465
File version	1.0.0.465

Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version	1.0.0.465
File version	1.0.0.465

Digital signatures [?]

n.exe has a valid digital signature.

Signer name	OOO "SOLVO.LOG"
Certificate issuer name	COMODO RSA Code Signing CA
Certificate serial number	00bf908b9311068039d904cb4a73b8ba

SeriousHoax · Dec 2, 2020

Freud2004 said:
Maybe this one (COMODO RSA):

Vendor and version information [?]
The following is the available information on n.exe:

Product version 1.0.0.465
File version 1.0.0.465

Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version 1.0.0.465
File version 1.0.0.465

Digital signatures [?]
n.exe has a valid digital signature.

Signer name OOO "SOLVO.LOG"
Certificate issuer name COMODO RSA Code Signing CA
Certificate serial number 00bf908b9311068039d904cb4a73b8ba

I checked again. It's not this one. It's the one @harlan4096 shared.

TairikuOkami · Dec 2, 2020

struppigel · Dec 3, 2020

This is the full code of the application.

It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.

Ink · Dec 3, 2020

struppigel said:
It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

The file placement is suspicious. Does it need to be in c:\windows\*?

I completely understand why Antivirus software flag their software as dangerous. As with AutoHotKey (news link)

Coldblackice · Jan 3, 2021

struppigel said:
This is the full code of the application.
View attachment 250329
It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.

Thanks. How did you get it broken down like that? Is that from IDA?

struppigel · Jan 4, 2021

Coldblackice said:
Thanks. How did you get it broken down like that? Is that from IDA?

I used DnSpy.

Search

Advice Request Found a PUP: C:\Windows\n.exe

SeriousHoax

Level 49

roger_m

Level 42

Venustus

Level 59

harlan4096

Super Moderator