File name:

CXK-NMSL V3.3.15.exe

Full analysis: https://app.any.run/tasks/1124955f-e61c-49a4-b5bd-61ecdcbed307
Verdict: Malicious activity
Analysis date: November 10, 2024, 19:44:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F88969F9AC259B022FC461DE66EB4229

SHA1:

6F352468FF647651EFA25F2762B278412EDA9239

SHA256:

C819B0EDBC48C5CB6B1FD3A16B80549CEFB12AE333A250D59C3B25ED018008B8

SSDEEP:

98304:8lNZ/ToyuYH3fwnJPev0JXD4BnDKSrITHUZOtkkLtMcskDNTQtj3kOlsfHupIZh7:3UnZjDpAPDaB2pQe9T21m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • xls.exe (PID: 6324)

    • Renames files like ransomware

      • cmd.exe (PID: 6236)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • cmd.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Starts CMD.EXE for commands execution

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 4292)
      • mshta.exe (PID: 3952)

    • Executing commands from a ".bat" file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 4292)
      • mshta.exe (PID: 3952)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 5084)

    • The executable file from the user directory is run by the CMD process

      • xls.exe (PID: 6324)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 6692)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 6236)

    • Application launched itself

      • cmd.exe (PID: 4292)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3952)

  • INFO

    • Reads the computer name

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Checks supported languages

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)

    • The process uses the downloaded file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • mshta.exe (PID: 3952)

    • Create files in a temporary directory

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • certutil.exe (PID: 6692)
      • xls.exe (PID: 6324)

    • Process checks computer location settings

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Creates files or folders in the user directory

      • xls.exe (PID: 6324)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3952)

    • Checks proxy server information

      • mshta.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:10:04 15:12:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 4096
UninitializedDataSize: 69632
EntryPoint: 0x22140
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 16.4.0.0
ProductVersionNumber: 16.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 16.04
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2016 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 16.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
44
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cxk-nmsl v3.3.15.exe cmd.exe no specs conhost.exe no specs certutil.exe xls.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs cmd.exe conhost.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs sppextcomobj.exe no specs slui.exe no specs cxk-nmsl v3.3.15.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1572certutil -encode "melife.png.cxkdata" "melife.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1744certutil -encode "Database1.accdb.cxkdata" "Database1.accdb.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exexls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376certutil -encode "ujuly.png.cxkdata" "ujuly.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3028certutil -encode "justposts.rtf.cxkdata" "justposts.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3104certutil -encode "CXK-NMSL V3.3.15.exe.cxkdata" "CXK-NMSL V3.3.15.exe.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3600certutil -encode "artistsshall.png.cxkdata" "artistsshall.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3620certutil -encode "Desktop.lnk.cxkdata" "Desktop.lnk.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3700certutil -encode "Bing.url.cxkdata" "Bing.url.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3764certutil -encode "acceptedshe.rtf.cxkdata" "acceptedshe.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 064
Read events
3 056
Write events
8
Delete events
0

Modification events

(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
4
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
5516CXK-NMSL V3.3.15.exeC:\Users\admin\AppData\Local\Temp\7zSC8511AC8\xls.bat
MD5:
SHA256:
6324xls.exeC:\Users\admin\AppData\Roaming\CXK-NMSL\CXK-NMSL.bat
MD5:
SHA256:
3104certutil.exeC:\Users\admin\Desktop\CXK-NMSL V3.3.15.exe.cxk_nmsl
MD5:
SHA256:
6236cmd.exeC:\Users\admin\Desktop\aboutproduct.jpg.cxkdataimage
MD5:95A129ED0B874CC3647C9E857645843C
SHA256:1DCD3F3BDC20EEF24228617B2109F975014839E9216F18A68676CE69BB6CBF70
6324xls.exeC:\Users\admin\AppData\Roaming\MBR.battext
MD5:8CAEF67F77FB4BCA4E780BB150D25342
SHA256:53EA46F49768F0862FF1E7BFEEA863EC5B27D2EA1DE534C992FF6CCED14377E6
6324xls.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartMBR.battext
MD5:4B6705078CC834AC06CF5BF14F325DB8
SHA256:5D1E638A00005EEF0272D04E7A143926247696D576FF6A9DD2F08CBC6C0A4AEA
6324xls.exeC:\Users\admin\AppData\Local\Temp\E_N60005\krnln.fnrexecutable
MD5:1EECE63319E7C5F6718562129B1572F1
SHA256:4BED8A6E4E1548FDDEE40927B438132B47EF2ACA6E9BEB06B89FCF7714726310
6236cmd.exeC:\Users\admin\Desktop\formsprovide.png.cxkdataimage
MD5:3310CF9B8C9C813DC544F912F1155826
SHA256:62C70AAB0F4F72FB2FCF3B9D02AB2CA3720EA364C18B5F692BC4778657A3F776
3764certutil.exeC:\Users\admin\Desktop\acceptedshe.rtf.cxk_nmsltext
MD5:501BB86F595FD10D59E928ACD42A053B
SHA256:4BA30B03F2DBF5BB13D2D0580DDCE8569E4C7C68FCAE5DB31EF1F4C5AA741B4A
6236cmd.exeC:\Users\admin\Desktop\justposts.rtf.cxkdatatext
MD5:4AA194810BBA65AF6AE1F8AFC4D5DE37
SHA256:96DB512E3D42F17376A8A08C2019A52A8E35DEB3BEB86626A201C25BE5167624
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.168.100.255:138
whitelisted
2.16.110.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.52.121.103:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 2.16.110.146
  • 2.16.110.145
  • 2.16.110.154
  • 2.16.110.155
  • 2.16.110.168
  • 2.16.110.153
  • 2.16.110.160
  • 2.16.110.162
  • 2.16.110.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.74
whitelisted
th.bing.com
  • 2.16.110.145
  • 2.16.110.136
  • 2.16.110.153
  • 2.16.110.130
  • 2.16.110.138
  • 2.16.110.146
  • 2.16.110.121
  • 2.16.110.144
  • 2.16.110.123
whitelisted
go.microsoft.com
  • 23.52.121.103
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CXK-NMSL V3.3.15.exe