File name:

CXK-NMSL V3.3.15.exe

Full analysis: https://app.any.run/tasks/1124955f-e61c-49a4-b5bd-61ecdcbed307
Verdict: Malicious activity
Analysis date: November 10, 2024, 19:44:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F88969F9AC259B022FC461DE66EB4229

SHA1:

6F352468FF647651EFA25F2762B278412EDA9239

SHA256:

C819B0EDBC48C5CB6B1FD3A16B80549CEFB12AE333A250D59C3B25ED018008B8

SSDEEP:

98304:8lNZ/ToyuYH3fwnJPev0JXD4BnDKSrITHUZOtkkLtMcskDNTQtj3kOlsfHupIZh7:3UnZjDpAPDaB2pQe9T21m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • xls.exe (PID: 6324)

    • Renames files like ransomware

      • cmd.exe (PID: 6236)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • cmd.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Starts CMD.EXE for commands execution

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 4292)
      • mshta.exe (PID: 3952)

    • Executing commands from a ".bat" file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 4292)
      • mshta.exe (PID: 3952)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 6692)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 6236)

    • The executable file from the user directory is run by the CMD process

      • xls.exe (PID: 6324)

    • Application launched itself

      • cmd.exe (PID: 4292)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3952)

  • INFO

    • Checks supported languages

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)

    • Create files in a temporary directory

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • certutil.exe (PID: 6692)
      • xls.exe (PID: 6324)

    • Reads the computer name

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • The process uses the downloaded file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • mshta.exe (PID: 3952)

    • Process checks computer location settings

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Creates files or folders in the user directory

      • xls.exe (PID: 6324)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3952)

    • Checks proxy server information

      • mshta.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:10:04 15:12:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 4096
UninitializedDataSize: 69632
EntryPoint: 0x22140
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 16.4.0.0
ProductVersionNumber: 16.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 16.04
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2016 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 16.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
44
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cxk-nmsl v3.3.15.exe cmd.exe no specs conhost.exe no specs certutil.exe xls.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs cmd.exe conhost.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs sppextcomobj.exe no specs slui.exe no specs cxk-nmsl v3.3.15.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1572certutil -encode "melife.png.cxkdata" "melife.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1744certutil -encode "Database1.accdb.cxkdata" "Database1.accdb.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exexls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376certutil -encode "ujuly.png.cxkdata" "ujuly.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3028certutil -encode "justposts.rtf.cxkdata" "justposts.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3104certutil -encode "CXK-NMSL V3.3.15.exe.cxkdata" "CXK-NMSL V3.3.15.exe.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3600certutil -encode "artistsshall.png.cxkdata" "artistsshall.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3620certutil -encode "Desktop.lnk.cxkdata" "Desktop.lnk.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3700certutil -encode "Bing.url.cxkdata" "Bing.url.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3764certutil -encode "acceptedshe.rtf.cxkdata" "acceptedshe.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 064
Read events
3 056
Write events
8
Delete events
0

Modification events

(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
4
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
5516CXK-NMSL V3.3.15.exeC:\Users\admin\AppData\Local\Temp\7zSC8511AC8\xls.bat
MD5:
SHA256:
6324xls.exeC:\Users\admin\AppData\Roaming\CXK-NMSL\CXK-NMSL.bat
MD5:
SHA256:
3104certutil.exeC:\Users\admin\Desktop\CXK-NMSL V3.3.15.exe.cxk_nmsl
MD5:
SHA256:
6236cmd.exeC:\Users\admin\Desktop\aboutproduct.jpg.cxkdataimage
MD5:95A129ED0B874CC3647C9E857645843C
SHA256:1DCD3F3BDC20EEF24228617B2109F975014839E9216F18A68676CE69BB6CBF70
6324xls.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartMBR.battext
MD5:4B6705078CC834AC06CF5BF14F325DB8
SHA256:5D1E638A00005EEF0272D04E7A143926247696D576FF6A9DD2F08CBC6C0A4AEA
6692certutil.exeC:\Users\admin\AppData\Local\Temp\xls.exeexecutable
MD5:F9B1FDDBF8A4C0A2F2B076FB72C933DF
SHA256:CE3D0D2A0289B82D013E89A73FD0260DCBE475E14B47462A3A06C7091A3D385D
6236cmd.exeC:\Users\admin\Desktop\systemsettings.rtf.cxkdatatext
MD5:F32EA1B3BA6785B3C74B4A9EBE63FE87
SHA256:7C8A09C83C0A1F03D5399AA790ED790FFC38EF2833A40E0D2F1AB62A23A3D1AC
6236cmd.exeC:\Users\admin\Desktop\CXK-NMSL V3.3.15.exe.cxkdataexecutable
MD5:F88969F9AC259B022FC461DE66EB4229
SHA256:C819B0EDBC48C5CB6B1FD3A16B80549CEFB12AE333A250D59C3B25ED018008B8
6236cmd.exeC:\Users\admin\Desktop\acceptedshe.rtf.cxkdatatext
MD5:C1D4727AD2328CB2339EB204F0BC9363
SHA256:01ADC09F410F922F06C4F7D328724BC0DDD5F7629C0B01099B5824768862722C
6236cmd.exeC:\Users\admin\Desktop\friendsvery.png.cxkdataimage
MD5:B25BF11348BE782A1BED8E175D4696F6
SHA256:398EAA56582C1FD58440A993C297CB0F48452088FE1AA00C42E772AEC90E8560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.168.100.255:138
whitelisted
2.16.110.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.52.121.103:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 2.16.110.146
  • 2.16.110.145
  • 2.16.110.154
  • 2.16.110.155
  • 2.16.110.168
  • 2.16.110.153
  • 2.16.110.160
  • 2.16.110.162
  • 2.16.110.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.74
whitelisted
th.bing.com
  • 2.16.110.145
  • 2.16.110.136
  • 2.16.110.153
  • 2.16.110.130
  • 2.16.110.138
  • 2.16.110.146
  • 2.16.110.121
  • 2.16.110.144
  • 2.16.110.123
whitelisted
go.microsoft.com
  • 23.52.121.103
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CXK-NMSL V3.3.15.exe