Windows Analysis Report nitdmexcel_18-0-1.exe

Overview

General Information

Sample Name:	nitdmexcel_18-0-1.exe
Analysis ID:	467975
MD5:	da499c2a422b153807fb587d6182ebb6
SHA1:	514d01c97416c4dd562a30c430b7e6f7b4e23cc4
SHA256:	e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Yara detected hidden Macro 4.0 in Excel

Uses 32bit PE files

PE file contains an invalid checksum

PE file contains strange resources

PE file contains sections with non-standard names

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: nitdmexcel_18-0-1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: nitdmexcel_18-0-1.exe

Static PE information: certificate valid

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: A.pdb source: MIFSystemUtility.dll
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
Source:	Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi

Source: MIFSystemUtility.dll	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EULADepot2.msi	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/InstallerForMicrosoftSilverlight
Source: MIFSystemUtility.dll	String found in binary or memory: http://ocsp.thawte.com0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s.symcd.com06
Source: MIFSystemUtility.dll	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s2.symcb.com0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcd.com0&
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcd.com0&
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EULADepot2.msi	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: NI Released License Agreement - English.rtf, NI Released License Agreement - French.rtf, NI Released License Agreement - German.rtf, NI Released License Agreement - Italian.rtf, NI Released License Agreement - Spanish.rtf, EULADepot2.msi, MSIProperties.msi	String found in binary or memory: http://www.ni.com/driverinterfacesoftware
Source: MSIProperties.msi	String found in binary or memory: http://www.ni.com/legal/export-compliance.htm
Source: EULADepot2.msi	String found in binary or memory: http://www.ni.com/legal/export-compliance.htm.
Source: NI Released License Agreement - Spanish.rtf	String found in binary or memory: http://www.ni.com/legal/privacy/unitedstates/us/
Source: MSIProperties.msi	String found in binary or memory: http://www.ni.com/legal/termsofsale
Source: MIFSystemUtility.dll	String found in binary or memory: http://www.symauth.com/cps0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://www.symauth.com/rpa00
Source: nitdmexcel_18-0-1.exe	String found in binary or memory: http://www.winzip.com
Source: MSIProperties.msi	String found in binary or memory: http://zone.ni.com/devzone/cda/tut/p/id/9561
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/cps0%
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/rpa0
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Uses 32bit PE files

Source: nitdmexcel_18-0-1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

PE file contains strange resources

Source: nitdmexcel_18-0-1.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

File read: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Jump to behavior

Source: nitdmexcel_18-0-1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\.Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue

Source: classification engine

Classification label: sus22.expl.winEXE@1/0@0/0

Source: nitdmexcel_18-0-1.exe

Static file information: File size 78606216 > 1048576

Source: nitdmexcel_18-0-1.exe

Static PE information: certificate valid

Source: nitdmexcel_18-0-1.exe

Static PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0x4ad6000

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: A.pdb source: MIFSystemUtility.dll
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
Source:	Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi

Data Obfuscation:

PE file contains an invalid checksum

Source: nitdmexcel_18-0-1.exe

Static PE information: real checksum: 0x4af8739 should be:

PE file contains sections with non-standard names

Source: nitdmexcel_18-0-1.exe

Static PE information: section name: _winzip_

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: MIFSystemUtility.dll	Binary or memory string: hGfsu
Source: MDFSuppo.cab	Binary or memory string: VMci5

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: NI_EX00_fra.mst, type: SAMPLE

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Code function: 0_2_0040F211 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040F211

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	467975
Product:	CloudBasic
Start time:	08:29:53
Start date:	19.08.2021
Sample:	nitdmexcel_18-0-1.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	da499c2a422b153807fb587d6182ebb6
SHA1:	514d01c97416c4dd562a30c430b7e6f7b4e23cc4
SHA256:	e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119
Filetype:	Win32 Executable (generic) a (10002005/4) 99.73%

Windows Analysis Report nitdmexcel_18-0-1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map