Edit tour

Windows Analysis Report
nx.exe

Overview

General Information

Sample name:	nx.exe
Analysis ID:	1489883
MD5:	cc93a5b2a81ed6491e7057f00d7b5ee0
SHA1:	4423217b7c0097fbe3f95fc621e0951c7cc4b00e
SHA256:	a1a5337e8f292b193ed8c06a00087ce7e5ce58c04c7f31304eb4f248257d67cd
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious sample

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

nx.exe (PID: 6548 cmdline: "C:\Users\user\Desktop\nx.exe" -install MD5: CC93A5B2A81ED6491E7057F00D7B5EE0)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nx.exe (PID: 980 cmdline: "C:\Users\user\Desktop\nx.exe" /install MD5: CC93A5B2A81ED6491E7057F00D7B5EE0)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nx.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\nx.exe" /load MD5: CC93A5B2A81ED6491E7057F00D7B5EE0)

conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.0% probability

Source: nx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: nx.exe	String found in binary or memory: http://earth.google.com/kml/2.2
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/blue-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/grn-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/ltblu-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/pink-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/purple-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/red-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/wht-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/pushpin/ylw-pushpin.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/shapes/placemark_circle.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/shapes/placemark_circle_highlight.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/shapes/placemark_square.png
Source: nx.exe	String found in binary or memory: http://maps.google.com/mapfiles/kml/shapes/placemark_square_highlight.png
Source: nx.exe	String found in binary or memory: http://www.init-ka.de/
Source: nx.exe	String found in binary or memory: http://www.opengis.net/kml/2.2
Source: nx.exe	String found in binary or memory: http://www.winimage.com/zLibDll

Source: nx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nx.exe	Binary string: ckfall-Kongi.MRI3: Restore Default channel after x secMRI3: R05 driverno in bcd-formatMRI3: R04 block in bcd-formatMRI3: ZVEI decoder flagsMRI3: ZVEI period for repetition of out-bound telegramsMRI3: ZVEI repeat count for out-bound telegramsMRI3: Input as driver announcement criterionMRI3: Ignore block for VDV cycle of GPS coordinates to centralMRI3: Radio numberMRI3: request tele for arrival or departure messageMRI3: VDV cycle of GPS coordinates to central if logged ofMRI3: VDV GPS Y unit 2MRI3: VDV GPS Y unit 1MRI3: VDV GPS X unit 2MRI3: VDV GPS X unit 1MRI3: VDV GPS origin longitudeMRI3: VDV GPS origin latitudeMRI3: timeout for incoming callMRI3: Coded Instruction to bring the vehcile into voice modeMRI3: Signal-Base for ZVEIMRI3: Logical radio channel for Voice Radio startMRI3: Retry timeout to use Voice start channelMRI3: maximum lock time for R15MRI3: maximum Rxx count for data radio failureMRI3: Lower COM port device name/number\Device\Serial1MRI3: Port type (RS232, RS485, ...)MRI3: Serial port baudrateMRI3: MRI3 enabledMRI3: Voice Radio is enabledMRI3: Retry timeout after VDV distubanceMRI3: Start timeout for VDV system distubanceMRI3: Minimum telegram length of C09MRI3: Timeout for VDV vehicle distubanceMRI3: Startupmode: 0 - Voice 1 - DataradioMRI3: Default timeout for VDV system distubanceMRI3: Timeout for data loading over VDVMRI3: Year from which the C15 year interpretation startsMRI3: List of logical radio channels for VDV Data RadioMRI3: Logical radio channel for VDV Data Radio startMRI3: Retry timeout to use VDV start channelMRI3: VDV Channel ConfigMRI3: Listen In TypeMRI3: Maximum amount of forced resetsMRI3: BON as shared objectMRI3: 1: Inport HangUp/Bon is used as Hang UpMRI3: Amount of soft reset trys until forced reset is usedMRI3: Pressing 3x PTT causes EA stateMRI3: Freq-Stufen der T
Source: nx.exe	Binary string: ..\..\..\src\device\pid\NxPidPicDev.cpp(55)
Source: nx.exe	Binary string: ..\..\..\src\device\pid\NxPidPicDev.cpp
Source: nx.exe	Binary string: CNxPidPicDevPID_PICGeraeteParamSerienNrRead %s failed (Unable to read serial from pic)$Write %s failed (Unable to write serial to pic)$..\..\..\src\device\pid\NxPidPicDev.cpp(55)..\..\..\src\device\pid\NxPidPicDev.cppc\|w{
Source: nx.exe	Binary string: \Device\Serial1

Source: classification engine

Classification label: sus21.winEXE@6/3@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03

Source: nx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nx.exe	String found in binary or memory: Usage: nx callstack [-l load-addr] [-b base] map-or-exe-file addresslist
Source: nx.exe	String found in binary or memory: Useful for guessing load-addr, e.g.: 'nx callstack -b nxThreadProc ...'
Source: nx.exe	String found in binary or memory: ANxToolBoxCallStackcallstackPrint call stack.Usage: nx callstack [-l load-addr] [-b base] map-or-exe-file addresslist
Source: nx.exe	String found in binary or memory: full-stop
Source: nx.exe	String found in binary or memory: CNxIppPic32J1708MsgReceivedCouldn't read valId: %dPic32 valueRead: valId:%d = %dvalueRead: too many valueIds: %dValueWrite-Error, ValueId/value: %d/%dCouldn't read valId/attrId: %d/%dvalueAttribRead: valId:%d, attrId:%d = %dvalueAttribRead: too many attribs: %dvalueAttribRead with wrong list size (%d/%d)ValueAttribWrite-Error, ValueId/AttribId/value: %d/%d/%d..\..\..\src\base\com\ipp\NxIppPic32Tele.cpp$Revision: 1.30 $* unknown regexp error code *invalid argument to regex routineREG_INVARG"can't happen" -- you found a bugREG_ASSERTempty (sub)expressionREG_EMPTYrepetition-operator operand invalidREG_BADRPTout of memoryREG_ESPACEinvalid character rangeREG_ERANGEinvalid repetition count(s)REG_BADBRbraces not balancedREG_EBRACEparentheses not balancedREG_EPARENbrackets ([ ]) not balancedREG_EBRACKinvalid backreference numberREG_ESUBREGtrailing backslash (\)REG_EESCAPEinvalid character classREG_ECTYPEinvalid collating elementREG_ECOLLATEinvalid regular expressionREG_BADPATregexec() failed to matchREG_NOMATCHDELtilderight-curly-bracketright-bracevertical-lineleft-curly-bracketleft-bracegrave-accentlow-lineunderscorecircumflex-accentcircumflexright-square-bracketreverse-solidusbackslashleft-square-bracketcommercial-atquestion-markgreater-than-signequals-signless-than-signsemicoloncolonnineeightsevensixfivefourthreetwoonezerosolidusslashfull-stopperiodhyphen-minushyphencommaplus-signasteriskright-parenthesisleft-parenthesisapostropheampersandpercent-signdollar-signnumber-signquotation-markexclamation-markUSIS1RSIS2GSIS3FSIS4ESCSUBEMCANETBSYNNAKDC4DC3DC2DC1DLESISOcarriage-returnCRform-feedFFvertical-tabVTnewlineLFtabHTbackspaceBSalertBELACKENQEOTETXSTXSOHNUL0123456789ABCDEFabcdefxdigitABCDEFGHIJKLMNOPQRSTUVWXYZupper
Source: nx.exe	String found in binary or memory: Voip: IP-address of SIP-server
Source: nx.exe	String found in binary or memory: WLAN: 2nd ip-addr for DRC
Source: nx.exe	String found in binary or memory: Tetra: AVL IP-address
Source: nx.exe	String found in binary or memory: SIEMENS S70 Vehicle Control: IP-Address PIS
Source: nx.exe	String found in binary or memory: SIEMENS S70 Vehicle Control: IP-Address VcuB
Source: nx.exe	String found in binary or memory: SIEMENS S70 Vehicle Control: IP-Address VcuA
Source: nx.exe	String found in binary or memory: SIEMENS AVENIO Vehicle Control: IP-Address
Source: nx.exe	String found in binary or memory: Irma Matrix: IP-address of adapter used for sensor communication
Source: nx.exe	String found in binary or memory: Nomad: IP-address of the server
Source: nx.exe	String found in binary or memory: TCMS: VCU IP-Address
Source: nx.exe	String found in binary or memory: Infotainment: infotainment without line/stop information from board computer (0=default, disabled)
Source: nx.exe	String found in binary or memory: Infotainment: infotainment without line/stop information from board computer (0=default, disabled)
Source: nx.exe	String found in binary or memory: SmartCard: card reader's IP-address
Source: nx.exe	String found in binary or memory: ANNOUNCE: At-stop ann. disabled on ignition-off
Source: nx.exe	String found in binary or memory: ANNOUNCE: At-stop ann. to outside/inside
Source: nx.exe	String found in binary or memory: ANNOUNCEMENT: At-stop Announcement Ignore Minimum Distance
Source: nx.exe	String found in binary or memory: ANNOUNCEMENT: Enable External At-Stop Announcements.
Source: nx.exe	String found in binary or memory: Announcement at stop allowed max door-open timeANNOUNCEMENT: Announcement at stop ignore minimum timeANNOUNCE: Next stop announcement not before interior displayANNOUNCE: Exit ann. disabled on ignition-offANNOUNCE: At-stop ann. disabled on ignition-offANNOUNCE: At-stop ann. to outside/insideANNOUNCE: Default Cycle for Auto AnnouncementsANNOUNCE: No ext. ann. when default destination setANNOUNCE: ignore annoucement number 0 in stoppointANNOUNCE: Use additive announcements 0=off 1=onANNOUNCE: Use destination sign speciffic announcement 0: off, 1: door open at stop, 2: door openANNOUNCEMENT: At-stop Announcement Ignore Minimum Distance ANNOUNCE: Channel for ann time to destination (0=inside, 1=outside...)ANNOUNCE: Ann at stop on 1=ANY DOOR, 2=FRONT DOOR 3=REAR DOOR)ANNOUNCE: Enable time to destination ann. (1=ON, 0=OFF)ANNOUNCEMENT: Enable External At-Stop Announcements.ANNOUNCE: Enable next stop ann. (1=ON, 0=OFF -1=SIGN_CONFIG)ANNOUNCEMENT: Muted On Start-UpANNOUNCE: Reset-Method on errorANNOUNCE: Play dual-channel announcements consecutively instead of simultaneouslyANNOUNCEMENT: PA Amplifier Control ModeANNOUNCE: Wait time after each announcementANNOUNCE: Setup time for the channel signalANNOUNCE: Hold time for the channel signalANNOUNCEMENT: PA Amplifier 'Hold on Active' TimeANNOUNCE: Setup time for the enable signalANNOUNCE: Timeout of external tool for pre-processing of announcement filesANNOUNCE: MP3 file name for the announcement of not accessible stopsANNOUNCE: MP3 file name for the announcement of accessible stopsANNOUNCE: MP3 File file name for functional testANNOUNCE: Exit direction both ann. no.ANNOUNCE: Measure 'Drive Through' ann. no.ANNOUNCE: Announce Exit direction allowedANNOUNCE: Exit direction right ann. no.ANNOUNCE: Exit direction left ann. no.ANNOUNCE: OS-Mixer maximum volume of cdplayer inputANNOUNCE: OS-Mixer volume pattern of driver announcement: channel;left;right, 1=change, -1=leave unchangedlinein;1;1ANNOUNCE: OS-Mixer volume initialization: channel;left;right, -1=leave unchangedlinein;0;0;cdplayer;0;0ANNOUNCE: OS-Mixer Wave volume Left;Right, -1=leave unchangedANNOUNCE: OS-Mixer Master volume Left;Right, -1=leave unchangedANNOUNCE: Door cloosing ann. no.ANNOUNCE: Announcement number for functional testANNOUNCE: Persistent MP3 filesANNOUNCE: Sinus MP3 fileSine.mp3ANNOUNCE: Wheelchair extraction ann. no.ANNOUNCE: Supress invalid ann. number warningANNOUNCE: Re-initialize COM and DirectX for every MP3 announcementANNOUNCE: Ann. requests queue sizeANNOUNCE: Test MP3 fileTest.mp3ANNOUNCE: Cancel current mp3 request after x sec (-1 = no cancel)ANNOUNCE: Tmp. directory for MP3 filesR:/Mp3TmpANNOUNCE: GUI message sound listANNOUNCE: Timeout fuer NX_GUI_CURRENT_ANNOUNCEMENTANNOUNCE: list tabsANNOUNCE: list nax numberANNOUNCE: list Mode: 1 - show numerANNOUNCE: Function is 1=Enabled 0=DisabledANNOUNCE: Audio file types to concatenate e.g. 'wav;mp3'wavANNOUNCE: AnnouncementChannel;AudioPlayerChannel e.g. 'inside;line1'inside;line
Source: nx.exe	String found in binary or memory: STAT: Shall this event be exported: - Vehicle starts driving /stops driving wished?
Source: nx.exe	String found in binary or memory: STAT: Shall this event be exported: - Vehicle starts driving /stops driving wished?
Source: nx.exe	String found in binary or memory: SNTP server IP-addr
Source: nx.exe	String found in binary or memory: Init timeout on starting/stopping service
Source: nx.exe	String found in binary or memory: Init timeout on starting/stopping service

Source: unknown	Process created: C:\Users\user\Desktop\nx.exe "C:\Users\user\Desktop\nx.exe" -install
Source: C:\Users\user\Desktop\nx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\nx.exe "C:\Users\user\Desktop\nx.exe" /install
Source: C:\Users\user\Desktop\nx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\nx.exe "C:\Users\user\Desktop\nx.exe" /load
Source: C:\Users\user\Desktop\nx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\nx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nx.exe	Section loaded: winmm.dll	Jump to behavior

Source: nx.exe

Static file information: File size 1648128 > 1048576

Source: nx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nx.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_square_highlight.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/pink-pushpin.png	0%	Avira URL Cloud	safe
http://www.init-ka.de/	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/purple-pushpin.png	0%	Avira URL Cloud	safe
http://www.init-ka.de/	0%	Virustotal		Browse
http://earth.google.com/kml/2.2	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_square_highlight.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/blue-pushpin.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_circle_highlight.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_square.png	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.2	0%	Virustotal		Browse
http://www.opengis.net/kml/2.2	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/wht-pushpin.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/purple-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/grn-pushpin.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/blue-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/red-pushpin.png	0%	Avira URL Cloud	safe
http://www.opengis.net/kml/2.2	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/grn-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/ltblu-pushpin.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_square.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/ylw-pushpin.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/shapes/placemark_circle_highlight.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/shapes/placemark_circle.png	0%	Avira URL Cloud	safe
http://maps.google.com/mapfiles/kml/pushpin/pink-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/ltblu-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/wht-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/ylw-pushpin.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/shapes/placemark_circle.png	0%	Virustotal		Browse
http://maps.google.com/mapfiles/kml/pushpin/red-pushpin.png	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://maps.google.com/mapfiles/kml/pushpin/pink-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/shapes/placemark_square_highlight.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.2	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/purple-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.init-ka.de/	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/blue-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/shapes/placemark_circle_highlight.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	nx.exe	false	URL Reputation: safe	unknown
http://maps.google.com/mapfiles/kml/shapes/placemark_square.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/wht-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.opengis.net/kml/2.2	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/grn-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/red-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/ltblu-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/pushpin/ylw-pushpin.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://maps.google.com/mapfiles/kml/shapes/placemark_circle.png	nx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1489883
Start date and time:	2024-08-08 09:28:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nx.exe
Detection:	SUS
Classification:	sus21.winEXE@6/3@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\nx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.690260390968384
Encrypted:	false
SSDEEP:	3:GFuFDKepEyn:x5KepEy
MD5:	96B3B451680BE303A6E6B3F6FB1FD411
SHA1:	9B3E1EED09DBFA47C8D247F8E3B23DF12CE02AFB
SHA-256:	E759A291EBE904C6C346ED3C49184BA9761491D3CBB46E0BDAB6DF5912A59D97
SHA-512:	67D1997E18EAD3FB2714B1B3A01FDC9738332D057B0D6D11AA7557CFBEAAD08C3F10CFB8EC670DDD45BE597A9FD952FCB27B398909D135958BD2FF29E5805BF6
Malicious:	false
Reputation:	low
Preview:	Command not found: /load..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.320450680450949
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nx.exe
File size:	1'648'128 bytes
MD5:	cc93a5b2a81ed6491e7057f00d7b5ee0
SHA1:	4423217b7c0097fbe3f95fc621e0951c7cc4b00e
SHA256:	a1a5337e8f292b193ed8c06a00087ce7e5ce58c04c7f31304eb4f248257d67cd
SHA512:	fe8dc26f6f2a351a4b670c12f66fb4159d36fb1919b904a29d4758e1ba3cb60bea06d030db632726a019f060542bc400f231d36b3268678de2c9edccd494fba6
SSDEEP:	24576:8BU9v5OAaFxcv+2GwDlj7STc36TrCx9AqW:YUpAF2v+2pDlKT89BW
TLSH:	C7757E623642643AE02703754D9AF384A26DF9A18771450BB2F853FD3F654A14F3EACB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|x..8..^8..^8..^Wo.^=..^.W2^<..^#.4^...^1a9^7..^8..^...^Wo4^9..^#..^...^#..^...^#.7^9..^Rich8..^........PE..L....k.V...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4771b9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x56AB6BAC [Fri Jan 29 13:39:56 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	51081416db5a84c6c9002f39941bc1fc

Entrypoint Preview

Instruction
call 00007FF539316114h
jmp 00007FF53930A34Ah
mov dword ptr [ecx], 005082A0h
jmp 00007FF53930B9DDh
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 005082A0h
call 00007FF53930B9CAh
test byte ptr [ebp+08h], 00000001h
je 00007FF53930A4B9h
push esi
call 00007FF539302013h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007FF53930A4F9h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007FF53930A4F1h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007FF53930A4C6h
add ecx, 08h
push ecx
push edx
call 00007FF539302633h
pop ecx
pop ecx
test eax, eax
je 00007FF53930A4B6h
xor eax, eax
jmp 00007FF53930A4D6h
test byte ptr [esi], 00000002h
je 00007FF53930A4B7h
test byte ptr [edi], 00000008h
je 00007FF53930A4A4h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007FF53930A4B7h
test byte ptr [edi], 00000001h
je 00007FF53930A496h
test al, 02h
je 00007FF53930A4B7h
test byte ptr [edi], 00000002h
je 00007FF53930A48Dh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, E0434352h
je 00007FF53930A4D1h
cmp eax, E0434F4Dh
je 00007FF53930A4CAh
cmp eax, E06D7363h
jne 00007FF53930A4DCh
call 00007FF53930B2C3h
and dword ptr [eax+00000090h], 00000000h

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 build 30319
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x129050	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x180000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x181000	0x1ba34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10b940	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9b000	0x318	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9946c	0x99600	b77ca0b4efa3476488ed4db84e398c62	False	0.5242938824368378	data	6.613923388142928	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9b000	0x8f1b8	0x8f200	814614b5fa95a8dd9a5f258c7b935cca	False	0.3122287800218341	data	5.661725433127734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12b000	0x53c04	0x46000	d5f0141b3d59666d10d4116ad3b37837	False	0.2290980747767857	data	4.004150863466056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x17f000	0x9	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x180000	0x1b4	0x200	7c3646b5c3ecf6c5cf849b4e8dde27f8	False	0.482421875	data	5.092598449170364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x181000	0x2358a	0x23600	5a5a8e6a46c3c0f0fe98812400cdcd0e	False	0.3154676457597173	data	5.652591359268913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x180058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
USERENV.dll	LoadUserProfileA, UnloadUserProfile
WINMM.dll	mixerGetDevCapsA, mixerOpen, mixerSetControlDetails, mixerGetLineInfoA, mixerGetLineControlsA, mixerGetControlDetailsA, mixerClose, mixerGetNumDevs
KERNEL32.dll	WriteFile, FreeLibrary, GetProcAddress, LoadLibraryA, GetLastError, GetFileSize, DeviceIoControl, GetTimeZoneInformation, SetTimeZoneInformation, GetCurrentProcess, GetSystemTime, GetCurrentDirectoryA, FindClose, SetCurrentDirectoryA, FindFirstFileA, FindNextFileA, CreateDirectoryA, RemoveDirectoryA, GetDiskFreeSpaceA, InterlockedIncrement, LocalAlloc, lstrlenA, FormatMessageA, InterlockedDecrement, CreateSemaphoreA, InitializeCriticalSection, DeleteCriticalSection, ReleaseSemaphore, LeaveCriticalSection, Sleep, GetTickCount, TryEnterCriticalSection, EnterCriticalSection, WaitForSingleObject, GetCurrentThreadId, GetOverlappedResult, ClearCommError, ClearCommBreak, SetCommBreak, SetEvent, EscapeCommFunction, SetCommState, BuildCommDCBA, SetCommTimeouts, SetupComm, CreateEventA, CreateThread, SetFilePointer, GetStdHandle, GetSystemTimeAsFileTime, TerminateProcess, GetExitCodeProcess, CreateProcessA, SetSystemTime, GetThreadPriority, VirtualQuery, TerminateThread, ResumeThread, SetThreadPriority, SuspendThread, GetThreadTimes, GetThreadContext, QueryPerformanceCounter, QueryPerformanceFrequency, GetCommandLineA, LocalFree, FileTimeToSystemTime, FileTimeToLocalFileTime, LoadLibraryExA, ExpandEnvironmentStringsA, SetComputerNameA, OpenProcess, MoveFileExA, FlushFileBuffers, GetDriveTypeA, GetLogicalDrives, GetCurrentDirectoryW, LoadLibraryW, GetCurrentProcessId, LCMapStringW, PeekNamedPipe, GetFileInformationByHandle, GetDriveTypeW, SetStdHandle, GetConsoleMode, GetConsoleCP, GetModuleFileNameW, HeapCreate, ReadFile, CloseHandle, CreateFileA, WriteConsoleW, SetEndOfFile, GetProcessHeap, CompareStringW, SetEnvironmentVariableA, CreateFileW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetFileAttributesA, ExitProcess, GetFileAttributesA, GetStringTypeW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, IsProcessorFeaturePresent, GetStartupInfoW, GetFileType, InitializeCriticalSectionAndSpinCount, SetHandleCount, RtlUnwind, RaiseException, WideCharToMultiByte, HeapFree, HeapAlloc, SetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, GetFullPathNameA, MoveFileA, FindFirstFileExA, DeleteFileA, DuplicateHandle, HeapReAlloc, ExitThread, GetModuleHandleW, MultiByteToWideChar, HeapSetInformation, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapSize
USER32.dll	GetWindowThreadProcessId, GetThreadDesktop, OpenDesktopA, SwitchDesktop, CloseDesktop, GetUserObjectInformationA, MessageBoxA, ChangeDisplaySettingsA, EnumDisplaySettingsA, mouse_event, FindWindowA, GetProcessWindowStation, ExitWindowsEx
ADVAPI32.dll	CreateProcessAsUserA, ReadEventLogA, ClearEventLogA, CloseEventLog, OpenEventLogA, AbortSystemShutdownA, GetUserNameA, InitiateSystemShutdownA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, LogonUserA
ole32.dll	CoInitialize, OleRun, CoCreateInstance, CoUninitialize
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysFreeString, SysStringLen, SysStringByteLen, SysAllocStringByteLen, SysAllocString, GetErrorInfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• nx.exe
• conhost.exe
• nx.exe
• conhost.exe
• nx.exe
• conhost.exe

Click to jump to process

Memory Usage

• nx.exe
• conhost.exe
• nx.exe
• conhost.exe
• nx.exe
• conhost.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: nx.exePID: 6548, Parent PID: 2580

Function Logs

General

Target ID:	0
Start time:	03:29:05
Start date:	08/08/2024
Path:	C:\Users\user\Desktop\nx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nx.exe" -install
Imagebase:	0x7c0000
File size:	1'648'128 bytes
MD5 hash:	CC93A5B2A81ED6491E7057F00D7B5EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6412, Parent PID: 6548

Function Logs

General

Target ID:	1
Start time:	03:29:05
Start date:	08/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: nx.exePID: 980, Parent PID: 2580

Function Logs

General

Target ID:	2
Start time:	03:29:07
Start date:	08/08/2024
Path:	C:\Users\user\Desktop\nx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nx.exe" /install
Imagebase:	0x7c0000
File size:	1'648'128 bytes
MD5 hash:	CC93A5B2A81ED6491E7057F00D7B5EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6292, Parent PID: 980

Function Logs

General

Target ID:	3
Start time:	03:29:08
Start date:	08/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: nx.exePID: 1900, Parent PID: 2580

Function Logs

General

Target ID:	4
Start time:	03:29:10
Start date:	08/08/2024
Path:	C:\Users\user\Desktop\nx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nx.exe" /load
Imagebase:	0x7c0000
File size:	1'648'128 bytes
MD5 hash:	CC93A5B2A81ED6491E7057F00D7B5EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2316, Parent PID: 1900

Function Logs

General

Target ID:	5
Start time:	03:29:10
Start date:	08/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: nx.exePID: 6548, Parent PID: 2580

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
nx.exe