Windows Analysis Report nitdmexcel_18-0-1.exe
Overview
General Information
Detection
Score: | 22 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HiddenMacro | Yara detected hidden Macro 4.0 in Excel | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Yara detected hidden Macro 4.0 in Excel | Show sources |
Source: | File source: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Command and Scripting Interpreter2 | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | System Time Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | System Information Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 467975 |
Start date: | 19.08.2021 |
Start time: | 08:29:53 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | nitdmexcel_18-0-1.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus22.expl.winEXE@1/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.9993729480097455 |
TrID: |
|
File name: | nitdmexcel_18-0-1.exe |
File size: | 78606216 |
MD5: | da499c2a422b153807fb587d6182ebb6 |
SHA1: | 514d01c97416c4dd562a30c430b7e6f7b4e23cc4 |
SHA256: | e3ab996aa8a613d02205ccb7fad0141212088974ced8672f332d63a4c2ee8119 |
SHA512: | e03f698acfd9b2fb97f08b807a1353a577383d0bbe6ebf0ae75dafb333d83f303e4679b538d6539b93f9c195f408ba02a25fe549b793702f4d0dd6e258b34562 |
SSDEEP: | 1572864:Jotcw0U43/qeP6WR01QSlKe2LCc34RrJ0FVjGyLfnm2rGepGtN4M1DJQmCONvgtD:U9m3ieiWb1e2LCc34MkGfnm2yBSyDJQp |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qw.W5...5...5.......&.......E...5...........8...............4.......4...5...7.......4...Rich5...........................PE..L.. |
File Icon |
---|
Icon Hash: | 0ac3cc9cd4728e36 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40a79e |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4AEF3FA7 [Mon Nov 2 20:23:03 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f2f9102c7663962c22d17a8dabc5e7ce |
Authenticode Signature |
---|
Signature Valid: | true |
Signature Issuer: | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1C8D1A5469552A41DE716974A986D673 |
Thumbprint SHA-1: | 70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111 |
Thumbprint SHA-256: | 4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007 |
Serial: | 61C3329855F6476CFCB4FCF359E55909 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F7724999AD3h |
jmp 00007F7724994E7Bh |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [00423C20h], eax |
mov dword ptr [00423C1Ch], ecx |
mov dword ptr [00423C18h], edx |
mov dword ptr [00423C14h], ebx |
mov dword ptr [00423C10h], esi |
mov dword ptr [00423C0Ch], edi |
mov word ptr [00423C38h], ss |
mov word ptr [00423C2Ch], cs |
mov word ptr [00423C08h], ds |
mov word ptr [00423C04h], es |
mov word ptr [00423C00h], fs |
mov word ptr [00423BFCh], gs |
pushfd |
pop dword ptr [00423C30h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [00423C24h], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00423C28h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [00423C34h], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [00423B70h], 00010001h |
mov eax, dword ptr [00423C28h] |
mov dword ptr [00423B24h], eax |
mov dword ptr [00423B18h], C0000409h |
mov dword ptr [00423B1Ch], 00000001h |
mov eax, dword ptr [00417420h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [00417424h] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [004131B4h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x16710 | 0x32 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15844 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x26000 | 0x3810 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4af3000 | 0x3f88 | _winzip_ |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x14e48 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x13000 | 0x2b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x11ff5 | 0x12000 | False | 0.624267578125 | data | 6.62017390291 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x13000 | 0x3742 | 0x4000 | False | 0.329284667969 | data | 4.93791623439 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x17000 | 0xe744 | 0x2000 | False | 0.17333984375 | data | 1.98004673265 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x26000 | 0x3810 | 0x4000 | False | 0.250915527344 | data | 4.52435452726 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_winzip_ | 0x2a000 | 0x4ad6000 | 0x4ad6000 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
WZ_MANIFEST | 0x26378 | 0x5df | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
RT_ICON | 0x26958 | 0x2e8 | data | English | United States |
RT_ICON | 0x26c40 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x26d68 | 0x27e | data | English | United States |
RT_DIALOG | 0x26fe8 | 0x192 | data | English | United States |
RT_STRING | 0x2717c | 0x2fc | data | English | United States |
RT_STRING | 0x27478 | 0x16e | Hitachi SH big-endian COFF object file, not stripped, 21248 sections, symbol offset=0x75007000 | English | United States |
RT_STRING | 0x275e8 | 0x91a | data | English | United States |
RT_STRING | 0x27f04 | 0x880 | data | English | United States |
RT_STRING | 0x28784 | 0x4fe | data | English | United States |
RT_STRING | 0x28c84 | 0x518 | data | English | United States |
RT_STRING | 0x2919c | 0x6e | data | English | United States |
RT_GROUP_ICON | 0x2920c | 0x30 | data | English | United States |
RT_MANIFEST | 0x2923c | 0x5d4 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
SHELL32.dll | SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA, FindExecutableA, SHBrowseForFolderA, SHGetMalloc |
USER32.dll | GetClientRect, SetRect, EndPaint, LoadCursorA, GetLastActivePopup, KillTimer, ShowWindow, PostMessageA, SendMessageA, EnableWindow, SetTimer, SetWindowTextA, SetForegroundWindow, SetActiveWindow, SetDlgItemTextA, GetKeyState, CharUpperBuffA, PeekMessageA, GetSysColor, DispatchMessageA, GetParent, SendDlgItemMessageA, GetDlgItem, InvalidateRect, UpdateWindow, LoadStringA, MessageBoxA, DialogBoxParamA, GetWindowLongA, SetWindowLongA, GetDlgItemTextA, EndDialog, GetWindowRect, GetSystemMetrics, SetWindowPos, SetCursor, CharNextA, BeginPaint, SetWindowWord, GetWindowWord, DefWindowProcA, RegisterClassA, TranslateMessage |
KERNEL32.dll | GetLocaleInfoA, GetStringTypeW, GetStringTypeA, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LCMapStringW, LCMapStringA, GetStdHandle, HeapCreate, HeapDestroy, VirtualAlloc, VirtualFree, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapSize, Sleep, GetCurrentThreadId, SetLastError, TlsFree, TlsSetValue, GetVersionExA, FindClose, FindFirstFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, CreateDirectoryA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, LocalAlloc, GetDriveTypeA, GetEnvironmentVariableA, SetFilePointer, CreateFileA, GetWindowsDirectoryA, GlobalFree, GlobalUnlock, GlobalHandle, _lclose, _llseek, _lread, _lopen, GlobalLock, GlobalAlloc, GlobalMemoryStatus, GetVersion, GetModuleFileNameA, WriteFile, GetSystemTime, LocalFree, ExitProcess, FormatMessageA, GetLastError, GetModuleHandleA, GetVolumeInformationA, WideCharToMultiByte, CreateProcessA, lstrcmpiA, SetErrorMode, MultiByteToWideChar, GetLocalTime, lstrlenA, CreateFileW, ReadFile, GetConsoleCP, GetConsoleMode, LoadLibraryA, InitializeCriticalSection, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, FlushFileBuffers, WriteConsoleW, CloseHandle, RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetProcessHeap, GetStartupInfoA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetProcAddress, TlsGetValue, TlsAlloc |
GDI32.dll | SetTextColor, SetTextAlign, GetBkColor, GetTextExtentPoint32A, ExtTextOutA, CreateDCA, GetDeviceCaps, CreateFontIndirectA, DeleteDC, SelectObject, DeleteObject, SetBkColor |
ADVAPI32.dll | RegQueryValueA |
COMCTL32.dll |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 08:31:09 |
Start date: | 19/08/2021 |
Path: | C:\Users\user\Desktop\nitdmexcel_18-0-1.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 78606216 bytes |
MD5 hash: | DA499C2A422B153807FB587D6182EBB6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|