Play interactive tour

Edit tour

Windows Analysis Report nitdmexcel_18-0-1.exe

Overview

General Information

Sample Name:	nitdmexcel_18-0-1.exe
Analysis ID:	467975
MD5:	da499c2a422b153807fb587d6182ebb6
SHA1:	514d01c97416c4dd562a30c430b7e6f7b4e23cc4
SHA256:	e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Yara detected hidden Macro 4.0 in Excel

Uses 32bit PE files

PE file contains an invalid checksum

PE file contains strange resources

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

nitdmexcel_18-0-1.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\nitdmexcel_18-0-1.exe' MD5: DA499C2A422B153807FB587D6182EBB6)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
NI_EX00_fra.mst	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: nitdmexcel_18-0-1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: nitdmexcel_18-0-1.exe

Static PE information: certificate valid

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: A.pdb source: MIFSystemUtility.dll
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
Source:	Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi

Source: MIFSystemUtility.dll	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EULADepot2.msi	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/InstallerForMicrosoftSilverlight
Source: MIFSystemUtility.dll	String found in binary or memory: http://ocsp.thawte.com0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s.symcd.com06
Source: MIFSystemUtility.dll	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://s2.symcb.com0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sf.symcd.com0&
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: MIFSystemUtility.dll	String found in binary or memory: http://sv.symcd.com0&
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: MIFSystemUtility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EULADepot2.msi	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: NI Released License Agreement - English.rtf, NI Released License Agreement - French.rtf, NI Released License Agreement - German.rtf, NI Released License Agreement - Italian.rtf, NI Released License Agreement - Spanish.rtf, EULADepot2.msi, MSIProperties.msi	String found in binary or memory: http://www.ni.com/driverinterfacesoftware
Source: MSIProperties.msi	String found in binary or memory: http://www.ni.com/legal/export-compliance.htm
Source: EULADepot2.msi	String found in binary or memory: http://www.ni.com/legal/export-compliance.htm.
Source: NI Released License Agreement - Spanish.rtf	String found in binary or memory: http://www.ni.com/legal/privacy/unitedstates/us/
Source: MSIProperties.msi	String found in binary or memory: http://www.ni.com/legal/termsofsale
Source: MIFSystemUtility.dll	String found in binary or memory: http://www.symauth.com/cps0(
Source: MIFSystemUtility.dll	String found in binary or memory: http://www.symauth.com/rpa00
Source: nitdmexcel_18-0-1.exe	String found in binary or memory: http://www.winzip.com
Source: MSIProperties.msi	String found in binary or memory: http://zone.ni.com/devzone/cda/tut/p/id/9561
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/cps0%
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/rpa0
Source: MIFSystemUtility.dll	String found in binary or memory: https://d.symcb.com/rpa0.

Source: nitdmexcel_18-0-1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: nitdmexcel_18-0-1.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

File read: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Jump to behavior

Source: nitdmexcel_18-0-1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\.Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue

Source: classification engine

Classification label: sus22.expl.winEXE@1/0@0/0

Source: nitdmexcel_18-0-1.exe

Static file information: File size 78606216 > 1048576

Source: nitdmexcel_18-0-1.exe

Static PE information: certificate valid

Source: nitdmexcel_18-0-1.exe

Static PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0x4ad6000

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: A.pdb source: MIFSystemUtility.dll
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
Source:	Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
Source:	Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi

Source: nitdmexcel_18-0-1.exe

Static PE information: real checksum: 0x4af8739 should be:

Source: nitdmexcel_18-0-1.exe

Static PE information: section name: _winzip_

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: MIFSystemUtility.dll	Binary or memory string: hGfsu
Source: MDFSuppo.cab	Binary or memory string: VMci5

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: NI_EX00_fra.mst, type: SAMPLE

Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exe

Code function: 0_2_0040F211 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040F211

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nitdmexcel_18-0-1.exe	0%	Virustotal		Browse
nitdmexcel_18-0-1.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ni.com/driverinterfacesoftware	NI Released License Agreement - English.rtf, NI Released License Agreement - French.rtf, NI Released License Agreement - German.rtf, NI Released License Agreement - Italian.rtf, NI Released License Agreement - Spanish.rtf, EULADepot2.msi, MSIProperties.msi	false		high
http://zone.ni.com/devzone/cda/tut/p/id/9561	MSIProperties.msi	false		high
http://www.ni.com/legal/termsofsale	MSIProperties.msi	false		high
http://www.winzip.com	nitdmexcel_18-0-1.exe	false		high
http://www.chilkatsoft.com/p/p_463.asp)	EULADepot2.msi	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	MIFSystemUtility.dll	false		high
http://www.ni.com/legal/privacy/unitedstates/us/	NI Released License Agreement - Spanish.rtf	false		high
http://www.symauth.com/cps0(	MIFSystemUtility.dll	false		high
http://www.symauth.com/rpa00	MIFSystemUtility.dll	false		high
http://ocsp.thawte.com0	MIFSystemUtility.dll	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	467975
Start date:	19.08.2021
Start time:	08:29:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nitdmexcel_18-0-1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus22.expl.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target nitdmexcel_18-0-1.exe, PID 3560 because there are no executed function Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9993729480097455
TrID:	Win32 Executable (generic) a (10002005/4) 99.73% Winzip Win32 self-extracting archive (generic) (23002/1) 0.23% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nitdmexcel_18-0-1.exe
File size:	78606216
MD5:	da499c2a422b153807fb587d6182ebb6
SHA1:	514d01c97416c4dd562a30c430b7e6f7b4e23cc4
SHA256:	e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119
SHA512:	e03f698acfd9b2fb97f08b807a1353a577383d0bbe6ebf0ae75dafb333d83f303e4679b538d6539b93f9c195f408ba02a25fe549b793702f4d0dd6e258b34562
SSDEEP:	1572864:Jotcw0U43/qeP6WR01QSlKe2LCc34RrJ0FVjGyLfnm2rGepGtN4M1DJQmCONvgtD:U9m3ieiWb1e2LCc34MkGfnm2yBSyDJQp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qw.W5...5...5.......&.......E...5...........8...............4.......4...5...7.......4...Rich5...........................PE..L..

File Icon


Icon Hash:	0ac3cc9cd4728e36

Static PE Info

General
Entrypoint:	0x40a79e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4AEF3FA7 [Mon Nov 2 20:23:03 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f2f9102c7663962c22d17a8dabc5e7ce

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/11/2016 5:00:00 PM 7/12/2019 4:59:59 PM
Subject Chain	CN=National Instruments Corporation, O=National Instruments Corporation, L=Austin, S=Texas, C=US
Version:	3
Thumbprint MD5:	1C8D1A5469552A41DE716974A986D673
Thumbprint SHA-1:	70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111
Thumbprint SHA-256:	4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007
Serial:	61C3329855F6476CFCB4FCF359E55909

Entrypoint Preview

Instruction
call 00007F7724999AD3h
jmp 00007F7724994E7Bh
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00423C20h], eax
mov dword ptr [00423C1Ch], ecx
mov dword ptr [00423C18h], edx
mov dword ptr [00423C14h], ebx
mov dword ptr [00423C10h], esi
mov dword ptr [00423C0Ch], edi
mov word ptr [00423C38h], ss
mov word ptr [00423C2Ch], cs
mov word ptr [00423C08h], ds
mov word ptr [00423C04h], es
mov word ptr [00423C00h], fs
mov word ptr [00423BFCh], gs
pushfd
pop dword ptr [00423C30h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00423C24h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00423C28h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00423C34h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00423B70h], 00010001h
mov eax, dword ptr [00423C28h]
mov dword ptr [00423B24h], eax
mov dword ptr [00423B18h], C0000409h
mov dword ptr [00423B1Ch], 00000001h
mov eax, dword ptr [00417420h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00417424h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [004131B4h]

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x16710	0x32	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15844	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x3810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4af3000	0x3f88	_winzip_
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x14e48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11ff5	0x12000	False	0.624267578125	data	6.62017390291	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x3742	0x4000	False	0.329284667969	data	4.93791623439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0xe744	0x2000	False	0.17333984375	data	1.98004673265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x3810	0x4000	False	0.250915527344	data	4.52435452726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_winzip_	0x2a000	0x4ad6000	0x4ad6000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
WZ_MANIFEST	0x26378	0x5df	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x26958	0x2e8	data	English	United States
RT_ICON	0x26c40	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x26d68	0x27e	data	English	United States
RT_DIALOG	0x26fe8	0x192	data	English	United States
RT_STRING	0x2717c	0x2fc	data	English	United States
RT_STRING	0x27478	0x16e	Hitachi SH big-endian COFF object file, not stripped, 21248 sections, symbol offset=0x75007000	English	United States
RT_STRING	0x275e8	0x91a	data	English	United States
RT_STRING	0x27f04	0x880	data	English	United States
RT_STRING	0x28784	0x4fe	data	English	United States
RT_STRING	0x28c84	0x518	data	English	United States
RT_STRING	0x2919c	0x6e	data	English	United States
RT_GROUP_ICON	0x2920c	0x30	data	English	United States
RT_MANIFEST	0x2923c	0x5d4	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
SHELL32.dll	SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA, FindExecutableA, SHBrowseForFolderA, SHGetMalloc
USER32.dll	GetClientRect, SetRect, EndPaint, LoadCursorA, GetLastActivePopup, KillTimer, ShowWindow, PostMessageA, SendMessageA, EnableWindow, SetTimer, SetWindowTextA, SetForegroundWindow, SetActiveWindow, SetDlgItemTextA, GetKeyState, CharUpperBuffA, PeekMessageA, GetSysColor, DispatchMessageA, GetParent, SendDlgItemMessageA, GetDlgItem, InvalidateRect, UpdateWindow, LoadStringA, MessageBoxA, DialogBoxParamA, GetWindowLongA, SetWindowLongA, GetDlgItemTextA, EndDialog, GetWindowRect, GetSystemMetrics, SetWindowPos, SetCursor, CharNextA, BeginPaint, SetWindowWord, GetWindowWord, DefWindowProcA, RegisterClassA, TranslateMessage
KERNEL32.dll	GetLocaleInfoA, GetStringTypeW, GetStringTypeA, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LCMapStringW, LCMapStringA, GetStdHandle, HeapCreate, HeapDestroy, VirtualAlloc, VirtualFree, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapSize, Sleep, GetCurrentThreadId, SetLastError, TlsFree, TlsSetValue, GetVersionExA, FindClose, FindFirstFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, CreateDirectoryA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, LocalAlloc, GetDriveTypeA, GetEnvironmentVariableA, SetFilePointer, CreateFileA, GetWindowsDirectoryA, GlobalFree, GlobalUnlock, GlobalHandle, _lclose, _llseek, _lread, _lopen, GlobalLock, GlobalAlloc, GlobalMemoryStatus, GetVersion, GetModuleFileNameA, WriteFile, GetSystemTime, LocalFree, ExitProcess, FormatMessageA, GetLastError, GetModuleHandleA, GetVolumeInformationA, WideCharToMultiByte, CreateProcessA, lstrcmpiA, SetErrorMode, MultiByteToWideChar, GetLocalTime, lstrlenA, CreateFileW, ReadFile, GetConsoleCP, GetConsoleMode, LoadLibraryA, InitializeCriticalSection, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, FlushFileBuffers, WriteConsoleW, CloseHandle, RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetProcessHeap, GetStartupInfoA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetProcAddress, TlsGetValue, TlsAlloc
GDI32.dll	SetTextColor, SetTextAlign, GetBkColor, GetTextExtentPoint32A, ExtTextOutA, CreateDCA, GetDeviceCaps, CreateFontIndirectA, DeleteDC, SelectObject, DeleteObject, SetBkColor
ADVAPI32.dll	RegQueryValueA
COMCTL32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: nitdmexcel_18-0-1.exe PID: 3560 Parent PID: 1768

General

Start time:	08:31:09
Start date:	19/08/2021
Path:	C:\Users\user\Desktop\nitdmexcel_18-0-1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\nitdmexcel_18-0-1.exe'
Imagebase:	0x400000
File size:	78606216 bytes
MD5 hash:	DA499C2A422B153807FB587D6182EBB6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report nitdmexcel_18-0-1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: nitdmexcel_18-0-1.exe PID: 3560 Parent PID: 1768

General

Chronological Activities

Disassembly

Code Analysis