Loading ...

Play interactive tourEdit tour

Windows Analysis Report nitdmexcel_18-0-1.exe

Overview

General Information

Sample Name:nitdmexcel_18-0-1.exe
Analysis ID:467975
MD5:da499c2a422b153807fb587d6182ebb6
SHA1:514d01c97416c4dd562a30c430b7e6f7b4e23cc4
SHA256:e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Yara detected hidden Macro 4.0 in Excel
Uses 32bit PE files
PE file contains an invalid checksum
PE file contains strange resources
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64
  • nitdmexcel_18-0-1.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\nitdmexcel_18-0-1.exe' MD5: DA499C2A422B153807FB587D6182EBB6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
NI_EX00_fra.mstJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: nitdmexcel_18-0-1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: nitdmexcel_18-0-1.exeStatic PE information: certificate valid
    Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
    Source: Binary string: A.pdb source: MIFSystemUtility.dll
    Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
    Source: Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
    Source: Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi
    Source: MIFSystemUtility.dllString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: EULADepot2.msiString found in binary or memory: http://digital.ni.com/express.nsf/bycode/InstallerForMicrosoftSilverlight
    Source: MIFSystemUtility.dllString found in binary or memory: http://ocsp.thawte.com0
    Source: MIFSystemUtility.dllString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: MIFSystemUtility.dllString found in binary or memory: http://s.symcd.com06
    Source: MIFSystemUtility.dllString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: MIFSystemUtility.dllString found in binary or memory: http://s2.symcb.com0
    Source: MIFSystemUtility.dllString found in binary or memory: http://sf.symcb.com/sf.crl0a
    Source: MIFSystemUtility.dllString found in binary or memory: http://sf.symcb.com/sf.crt0
    Source: MIFSystemUtility.dllString found in binary or memory: http://sf.symcd.com0&
    Source: MIFSystemUtility.dllString found in binary or memory: http://sv.symcb.com/sv.crl0a
    Source: MIFSystemUtility.dllString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: MIFSystemUtility.dllString found in binary or memory: http://sv.symcd.com0&
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: MIFSystemUtility.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: EULADepot2.msiString found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
    Source: NI Released License Agreement - English.rtf, NI Released License Agreement - French.rtf, NI Released License Agreement - German.rtf, NI Released License Agreement - Italian.rtf, NI Released License Agreement - Spanish.rtf, EULADepot2.msi, MSIProperties.msiString found in binary or memory: http://www.ni.com/driverinterfacesoftware
    Source: MSIProperties.msiString found in binary or memory: http://www.ni.com/legal/export-compliance.htm
    Source: EULADepot2.msiString found in binary or memory: http://www.ni.com/legal/export-compliance.htm.
    Source: NI Released License Agreement - Spanish.rtfString found in binary or memory: http://www.ni.com/legal/privacy/unitedstates/us/
    Source: MSIProperties.msiString found in binary or memory: http://www.ni.com/legal/termsofsale
    Source: MIFSystemUtility.dllString found in binary or memory: http://www.symauth.com/cps0(
    Source: MIFSystemUtility.dllString found in binary or memory: http://www.symauth.com/rpa00
    Source: nitdmexcel_18-0-1.exeString found in binary or memory: http://www.winzip.com
    Source: MSIProperties.msiString found in binary or memory: http://zone.ni.com/devzone/cda/tut/p/id/9561
    Source: MIFSystemUtility.dllString found in binary or memory: https://d.symcb.com/cps0%
    Source: MIFSystemUtility.dllString found in binary or memory: https://d.symcb.com/rpa0
    Source: MIFSystemUtility.dllString found in binary or memory: https://d.symcb.com/rpa0.
    Source: nitdmexcel_18-0-1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: nitdmexcel_18-0-1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exeFile read: C:\Users\user\Desktop\nitdmexcel_18-0-1.exeJump to behavior
    Source: nitdmexcel_18-0-1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: niPie.exeString found in binary or memory: /install
    Source: niPie.exeString found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\*.*Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue
    Source: classification engineClassification label: sus22.expl.winEXE@1/0@0/0
    Source: nitdmexcel_18-0-1.exeStatic file information: File size 78606216 > 1048576
    Source: nitdmexcel_18-0-1.exeStatic PE information: certificate valid
    Source: nitdmexcel_18-0-1.exeStatic PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0x4ad6000
    Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: WindowsInstaller-KB893803-v2-x86.exe
    Source: Binary string: A.pdb source: MIFSystemUtility.dll
    Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: WindowsInstaller-KB893803-v2-x86.exe
    Source: Binary string: c:\P4\NIInstallers\trunk\18.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: MDFSupport.msi
    Source: Binary string: c:\P4\NIInstallers\trunk\17.0\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: EULADepot2.msi
    Source: nitdmexcel_18-0-1.exeStatic PE information: real checksum: 0x4af8739 should be:
    Source: nitdmexcel_18-0-1.exeStatic PE information: section name: _winzip_
    Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: MIFSystemUtility.dllBinary or memory string: hGfsu
    Source: MDFSuppo.cabBinary or memory string: VMci5

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: NI_EX00_fra.mst, type: SAMPLE
    Source: C:\Users\user\Desktop\nitdmexcel_18-0-1.exeCode function: 0_2_0040F211 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040F211

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter2Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.