| File name: | NX_PRNMAN.exe |
| Full analysis: | https://app.any.run/tasks/c8be9df0-05f1-4586-99b5-64fa81f35913 |
| Verdict: | Malicious activity |
| Analysis date: | January 29, 2024, 07:49:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | D259EF7500E7E667AFC42E9570F9707A |
| SHA1: | AA3513A5E4BD306FDA2484157661894B5949750A |
| SHA256: | A4B4B5518B377202E4415A064BCFD7925043BE78568C12FFBC2A0C333B2D604D |
| SSDEEP: | 98304:UVf9KPtBiIcVzJAgytt3VYrMDO+q0vlMVyBiyyRb+Y207U07eW+6k847cTtXGxXW:SvkdiAHQ2LsDDnyX3eePvEQK |
MALICIOUS
Drops the executable file immediately after the start
- NX_PRNMAN.exe (PID: 984)
- NX_PRNMAN.exe (PID: 2240)
- NX_PRNMAN.tmp (PID: 2388)
Registers / Runs the DLL via REGSVR32.EXE
- cmd.exe (PID: 2292)
- NX_PRNMAN.tmp (PID: 2388)
Steals credentials from Web Browsers
- FFRegCert.exe (PID: 3048)
Actions looks like stealing of personal data
- FFRegCert.exe (PID: 3048)
- certutilFF.exe (PID: 3096)
- RegCert.exe (PID: 1376)
- RegCert.exe (PID: 3376)
- certutilFF.exe (PID: 2516)
SUSPICIOUS
Executable content was dropped or overwritten
- NX_PRNMAN.exe (PID: 2240)
- NX_PRNMAN.exe (PID: 984)
- NX_PRNMAN.tmp (PID: 2388)
Reads the Windows owner or organization settings
- NX_PRNMAN.tmp (PID: 2388)
Uses TASKKILL.EXE to kill process
- NX_PRNMAN.tmp (PID: 2388)
Reads the Internet Settings
- NX_PRNMAN.tmp (PID: 2388)
Starts CMD.EXE for commands execution
- NX_PRNMAN.tmp (PID: 2388)
- FFRegCert.exe (PID: 3048)
Process drops legitimate windows executable
- NX_PRNMAN.tmp (PID: 2388)
The process drops C-runtime libraries
- NX_PRNMAN.tmp (PID: 2388)
Executes as Windows Service
- PWSLocalServer.exe (PID: 2944)
INFO
Checks supported languages
- NX_PRNMAN.exe (PID: 984)
- NX_PRNMAN.exe (PID: 2240)
- NX_PRNMAN.tmp (PID: 2396)
- NX_PRNMAN.tmp (PID: 2388)
- PWSLocalServer.exe (PID: 880)
- RDDN.exe (PID: 2176)
- PWSLocalServer.exe (PID: 884)
- PWSLocalServer.exe (PID: 3000)
- PWSLocalServer.exe (PID: 2944)
- FFRegCert.exe (PID: 3048)
- certutilFF.exe (PID: 3096)
- RegCert.exe (PID: 1376)
- certutilFF.exe (PID: 2516)
- RegCert.exe (PID: 3376)
Create files in a temporary directory
- NX_PRNMAN.exe (PID: 984)
- NX_PRNMAN.exe (PID: 2240)
Reads the computer name
- NX_PRNMAN.tmp (PID: 2396)
- NX_PRNMAN.tmp (PID: 2388)
- PWSLocalServer.exe (PID: 884)
- PWSLocalServer.exe (PID: 880)
- PWSLocalServer.exe (PID: 3000)
- certutilFF.exe (PID: 3096)
- certutilFF.exe (PID: 2516)
- RegCert.exe (PID: 1376)
- RegCert.exe (PID: 3376)
- PWSLocalServer.exe (PID: 2944)
Creates files in the program directory
- NX_PRNMAN.tmp (PID: 2388)
Creates files or folders in the user directory
- NX_PRNMAN.tmp (PID: 2388)
- certutilFF.exe (PID: 2516)
- RegCert.exe (PID: 1376)
Reads Environment values
- PWSLocalServer.exe (PID: 880)
Reads product name
- PWSLocalServer.exe (PID: 880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41472 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaa98 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.3 |
| ProductVersionNumber: | 2.0.0.3 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | SGASolutions Co.,Ltd. |
| FileDescription: | SGASolutions NX_PRNMAN Setup |
| FileVersion: | 2.0.0.3 |
| LegalCopyright: | |
| ProductName: | SGASolutions NX_PRNMAN |
| ProductVersion: | 2.0.0.3 |
Total processes
74
Monitored processes
23
Malicious processes
9
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 568 | "taskkill.exe" /f /im "UpdateManager.exe" | C:\Windows\System32\taskkill.exe | — | NX_PRNMAN.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 880 | "C:\Program Files\EPS\Lib\Support\PWSLocalServer.exe" i | C:\Program Files\EPS\Lib\Support\PWSLocalServer.exe | NX_PRNMAN.tmp | ||||||||||||
User: admin Company: SGA Corp Integrity Level: HIGH Description: SGA Client Support Service Exit code: 0 Version: 1.1.11.8 Modules
| |||||||||||||||
| 884 | "C:\Program Files\EPS\Lib\Support\PWSLocalServer.exe" u | C:\Program Files\EPS\Lib\Support\PWSLocalServer.exe | — | NX_PRNMAN.tmp | |||||||||||
User: admin Company: SGA Corp Integrity Level: HIGH Description: SGA Client Support Service Exit code: 1060 Version: 1.1.11.8 Modules
| |||||||||||||||
| 984 | "C:\Users\admin\AppData\Local\Temp\NX_PRNMAN.exe" | C:\Users\admin\AppData\Local\Temp\NX_PRNMAN.exe | explorer.exe | ||||||||||||
User: admin Company: SGASolutions Co.,Ltd. Integrity Level: MEDIUM Description: SGASolutions NX_PRNMAN Setup Exit code: 0 Version: 2.0.0.3 Modules
| |||||||||||||||
| 1028 | C:\Windows\system32\cmd.exe /c certutilFF.exe -A -n "SGASolutionsCA" -t "CT,C,C" -i "root.der" -d "sql:C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles/qldyz51w.default" | C:\Windows\System32\cmd.exe | — | FFRegCert.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1376 | "C:\Program Files\EPS\Lib\Support\RegCert.exe" u | C:\Program Files\EPS\Lib\Support\RegCert.exe | NX_PRNMAN.tmp | ||||||||||||
User: admin Company: SGA Solutions Integrity Level: HIGH Description: SGA Solutions Client Support Program Exit code: 0 Version: 1.0.0.1 Modules
| |||||||||||||||
| 1428 | C:\Windows\system32\cmd.exe /c certutilFF.exe -L -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles/qldyz51w.default" | C:\Windows\System32\cmd.exe | — | FFRegCert.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1576 | "C:\Windows\System32\cmd.exe" /C del "C:\Program Files\EPS\Lib\PRNMAN\VerMan.dll" | C:\Windows\System32\cmd.exe | — | NX_PRNMAN.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2064 | "C:\Windows\System32\cmd.exe" /C r /u /s "C:\Program Files\EPS\Lib\PRNMAN\VerMan64.dll" | C:\Windows\System32\cmd.exe | — | NX_PRNMAN.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2176 | "C:\Program Files\EPS\Lib\PRNMAN\RDDN.exe" u | C:\Program Files\EPS\Lib\PRNMAN\RDDN.exe | — | NX_PRNMAN.tmp | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
4 164
Read events
4 135
Write events
23
Delete events
6
Modification events
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\ActiveXFiltering |
| Operation: | write | Name: | IsEnabled |
Value: 0 | |||
| (PID) Process: | (1376) RegCert.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: E938C4D306CB3DD28EB2414615CC45950B21D8DB076959BEF6FD6640E4B44903 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\EPS\Lib\Support\certutilFF.exe | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2388) NX_PRNMAN.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: C5ECFFDB2FDF2DB8ED6C8B33B0FCB0BAF67B7E53392B8A9595CBC4EE7BE3D27B | |||
Executable files
62
Suspicious files
15
Text files
18
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\PRNMAN\is-UVKCL.tmp | executable | |
MD5:9F4922AC971E42B3E2823E23083EE667 | SHA256:FA34A20E8ABAD8EFB57A6CD9EEB6653B0D4D5EBC5131340EDE1C5BDF847CBD67 | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\is-K962O.tmp | executable | |
MD5:F8DA06687FB47CA2C355C38CA2766262 | SHA256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\is-0OJ7C.tmp | executable | |
MD5:CF51AFFA5CA1B8BC43B75A3B77392D83 | SHA256:6FF86CFF82CA974DCF487F5901712D3529135136F3D9218696245479407451C8 | |||
| 984 | NX_PRNMAN.exe | C:\Users\admin\AppData\Local\Temp\is-C0IJF.tmp\NX_PRNMAN.tmp | executable | |
MD5:832DAB307E54AA08F4B6CDD9B9720361 | SHA256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3 | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\is-RNFQ3.tmp | executable | |
MD5:8E06FAE8E03485A85D5A12C7BDDD9726 | SHA256:05CC3E5D9025A8836DD19099850C416633832BC729307E3187D43278A2C10BA5 | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\freebl3.dll | executable | |
MD5:A850F99F4DDBCFD79FF7208C3A65CADF | SHA256:127253D228ACDCD7FFF0590C6F773FEF998CD60AFF9D8F153AE39B998EC0FBB3 | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\is-EJTCT.tmp | executable | |
MD5:8492B2E4F69D3F0957A399251E79C145 | SHA256:DF268228C55B77A571C2E07ED058B69222A1A4342AF080022C004B404AA0607F | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\FFRegCert.exe | executable | |
MD5:CF51AFFA5CA1B8BC43B75A3B77392D83 | SHA256:6FF86CFF82CA974DCF487F5901712D3529135136F3D9218696245479407451C8 | |||
| 2388 | NX_PRNMAN.tmp | C:\Program Files\EPS\Lib\Support\certutilFF.exe | executable | |
MD5:F8DA06687FB47CA2C355C38CA2766262 | SHA256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C | |||
| 2240 | NX_PRNMAN.exe | C:\Users\admin\AppData\Local\Temp\is-H53CS.tmp\NX_PRNMAN.tmp | executable | |
MD5:832DAB307E54AA08F4B6CDD9B9720361 | SHA256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |
PWSLocalServer.exe | ·Î±× ¼³Á¤ ÆÄÀÏÀÌ ¾ø½À´Ï´Ù. |