| File name: | nnx.exe |
| Full analysis: | https://app.any.run/tasks/6164db56-8822-4554-a3dd-81777a394dcb |
| Verdict: | Malicious activity |
| Analysis date: | September 25, 2024, 00:54:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 45645F17E3B014B9BCE89A793F5775B2 |
| SHA1: | B20D0DE04D751C8475250DA06F488F3B611DAF98 |
| SHA256: | AD71046CC82395F068BD15E4CA59EC27AD05ADD011D70326E13A64A95ACC6FED |
| SSDEEP: | 768:Lc/KfJsN6ePDyl0xMFM5O18G7mkpt0WfjIYOVrrzvzFWgXxG3w2tu6AQ:YKmvPDy+4QO18Ghpim8VrrjzX5M |
MALICIOUS
Application was injected by another process
- explorer.exe (PID: 1296)
Runs injected code in another process
- nnx.exe (PID: 2180)
Request for a sinkholed resource
- svchost.exe (PID: 1060)
Changes the autorun value in the registry
- explorer.exe (PID: 1296)
Connects to the CnC server
- explorer.exe (PID: 1296)
SUSPICIOUS
Application launched itself
- nnx.exe (PID: 1632)
Write to the desktop.ini file (may be used to cloak folders)
- explorer.exe (PID: 1296)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 1296)
Connects to unusual port
- explorer.exe (PID: 1296)
INFO
The process uses the downloaded file
- explorer.exe (PID: 1296)
Checks supported languages
- nnx.exe (PID: 2180)
- nnx.exe (PID: 1632)
- wmpnscfg.exe (PID: 1796)
Reads the computer name
- wmpnscfg.exe (PID: 1796)
- nnx.exe (PID: 2180)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (90.6) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (4.9) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:09:01 21:40:51+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 65536 |
| InitializedDataSize: | 28672 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x10e4 |
| OSVersion: | 4 |
| ImageVersion: | 1.22 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.22.0.22 |
| ProductVersionNumber: | 1.22.0.22 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | FZIYe8z8cCIe8aed |
| ProductName: | Db16Wbu74 |
| FileVersion: | 1.22.0022 |
| ProductVersion: | 1.22.0022 |
| InternalName: | NnXRFTMgh8ioAv7d |
| OriginalFileName: | NnXRFTMgh8ioAv7d.exe |
Total processes
36
Monitored processes
5
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1060 | C:\Windows\system32\svchost.exe -k NetworkService | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1296 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1632 | "C:\Users\admin\AppData\Local\Temp\nnx.exe" | C:\Users\admin\AppData\Local\Temp\nnx.exe | — | explorer.exe | |||||||||||
User: admin Company: FZIYe8z8cCIe8aed Integrity Level: MEDIUM Exit code: 0 Version: 1.22.0022 Modules
| |||||||||||||||
| 1796 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2180 | C:\Users\admin\AppData\Local\Temp\nnx.exe | C:\Users\admin\AppData\Local\Temp\nnx.exe | — | nnx.exe | |||||||||||
User: admin Company: FZIYe8z8cCIe8aed Integrity Level: MEDIUM Exit code: 0 Version: 1.22.0022 Modules
| |||||||||||||||
Total events
243
Read events
215
Write events
28
Delete events
0
Modification events
| (PID) Process: | (1296) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000060BC9EA302823E4888443E6713E98FC7000000000200000000001066000000010000200000002DE499900BD7D564FF7EA1AA200CEE809F564E5CCC258881A774B247D94DA1BB000000000E8000000002000020000000811D2D9DAF84BFCF93B42D3D7C1681FDE8EDB2696BCE6E0190259ADEB312E1273000000074965A9FCCEC8F260A258D5A4AF30E4AA955009D64C4194A150B15AE2D2D7E2C4D010CB5C1BDAED2929D7DF3ADC17C07400000004ADF8F70532C18F85890F1F92642F8098ACB53F0CEC251A02F3E212717F4DF75B3D33D573507B283265ACA7974064E8C0BD715BDB6248014A8F629FCA36E18F7 | |||
| (PID) Process: | (1296) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | LUXOR |
Value: c:\KALBA\MAAFENA\LAXOURY.exe | |||
| (PID) Process: | (1060) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\SafeClientList |
| Operation: | write | Name: | WSManSafeClientList |
Value: 000000000000000000000000000000018E84EBBB000000000000000000000000 | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1296 | explorer.exe | C:\KALBA\MAAFENA\LAXOURY.exe | executable | |
MD5:45645F17E3B014B9BCE89A793F5775B2 | SHA256:AD71046CC82395F068BD15E4CA59EC27AD05ADD011D70326E13A64A95ACC6FED | |||
| 1296 | explorer.exe | C:\KALBA\MAAFENA\desKtOp.InI | text | |
MD5:7457A5DF1FF47C957ACF1FA000D7D9AD | SHA256:6F40B80A787EAE165D17211DC4A12F9697BEEFEEBD662322D852FDC5F2B07FB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
4
Threats
7
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
1296 | explorer.exe | 199.2.137.20:5900 | relax3.psybnc.cz | MICROSOFT-CORP-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
relax3.helldark.biz |
| unknown |
relax3.ircdevils.net |
| unknown |
relax3.psybnc.cz |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1060 | svchost.exe | A Network Trojan was detected | ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24 |
6 ETPRO signatures available at the full report