File name:

nxkey_x86.exe

Full analysis: https://app.any.run/tasks/3b960abe-101d-42df-bbe4-f1952092b599
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 20, 2025, 23:55:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F71A02275EECC0076450E10D6C8F5960

SHA1:

B38EDC27BB10D1DFA17188D3DF2D5D433D947A04

SHA256:

D78157ED28955DE8CFB96BA4BEBB225D1D356175FBC0113D859AD2D726EEBA22

SSDEEP:

98304:gi3VdhCYwCxrg/zZ4h8ogDwFdIbo+29yKTVH+9UcgRjmP/IHLejQzW8PwFQ2PoTJ:RTlVJF8N2YQtLNvi7cOYf5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Firefox_CertUtil.exe (PID: 6332)
      • certutil.exe (PID: 6076)
      • certutil.exe (PID: 3736)

    • XORed URL has been found (YARA)

      • nxkey_x86.exe (PID: 6484)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • nxkey_x86.exe (PID: 6484)
      • CrossEX_LocalService_Install.exe (PID: 6684)
      • FFCert.exe (PID: 7160)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CrossEX_LocalService_Install.exe (PID: 6684)

    • Executes as Windows Service

      • ObCrossEXService.exe (PID: 7116)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7060)
      • sc.exe (PID: 6964)

    • Reads security settings of Internet Explorer

      • nxkey_x86.exe (PID: 6484)

    • The process creates files with name similar to system file names

      • FFCert.exe (PID: 7160)

    • Process drops legitimate windows executable

      • FFCert.exe (PID: 7160)

    • The process drops C-runtime libraries

      • FFCert.exe (PID: 7160)

    • Creates a software uninstall entry

      • nxkey_x86.exe (PID: 6484)

  • INFO

    • Sends debugging messages

      • nxkey_x86.exe (PID: 6484)

    • The sample compiled with korean language support

      • CrossEX_LocalService_Install.exe (PID: 6684)
      • FFCert.exe (PID: 7160)
      • nxkey_x86.exe (PID: 6484)

    • Reads the computer name

      • nxkey_x86.exe (PID: 6484)
      • ObCrossEXService.exe (PID: 7116)
      • certutil.exe (PID: 6076)
      • certutil.exe (PID: 3736)

    • Checks supported languages

      • nxkey_x86.exe (PID: 6484)
      • ObCrossEXService.exe (PID: 7116)
      • FFCert.exe (PID: 7160)
      • Firefox_CertUtil.exe (PID: 6332)
      • certutil.exe (PID: 6076)
      • certutil.exe (PID: 3736)

    • Create files in a temporary directory

      • nxkey_x86.exe (PID: 6484)
      • FFCert.exe (PID: 7160)
      • certutil.exe (PID: 3736)
      • certutil.exe (PID: 6076)

    • The process uses the downloaded file

      • nxkey_x86.exe (PID: 6484)

    • Process checks computer location settings

      • nxkey_x86.exe (PID: 6484)

    • The sample compiled with english language support

      • nxkey_x86.exe (PID: 6484)
      • FFCert.exe (PID: 7160)

    • Creates files or folders in the user directory

      • certutil.exe (PID: 6076)

    • Creates files in the program directory

      • nxkey_x86.exe (PID: 6484)

    • UPX packer has been detected

      • nxkey_x86.exe (PID: 6484)

    • Themida protector has been detected

      • nxkey_x86.exe (PID: 6484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:23 05:10:22+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 13873152
InitializedDataSize: 8192
UninitializedDataSize: 4472832
EntryPoint: 0x117f760
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.88
ProductVersionNumber: 1.0.0.88
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: TouchEn nxKey Keyboard Protector Installer
CompanyName: RaonSecure Co., Ltd.
FileDescription: TouchEn nxKey Keyboard Protector Installer
FileVersion: 1, 0, 0, 88
InternalName: TouchEn nxKey Installer
LegalCopyright: Copyright(C)2013 RaonSecure Co., Ltd.
OriginalFileName: TouchEn nxKey Installer.exe
ProductName: TouchEn nxKey Installer
ProductVersion: 1, 0, 0, 88
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
14
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XOR-URL nxkey_x86.exe crossex_localservice_install.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs obcrossexservice.exe no specs ffcert.exe firefox_certutil.exe certutil.exe conhost.exe no specs certutil.exe conhost.exe no specs nxkey_x86.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3736"C:\Users\admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -L -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release"C:\Users\admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
Firefox_CertUtil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ffcert_raon\bin\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6076"C:\Users\admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe" -A -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release" -i "C:\Program Files (X86)\iniLINE\CrossEX\crossex\rootCA.crt" -n "iniLINE CrossEX RootCA2" -t "CT,C,C"C:\Users\admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exe
Firefox_CertUtil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ffcert_raon\bin\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6332"C:\Users\admin\AppData\Local\Temp\nxkey_x86.exe" C:\Users\admin\AppData\Local\Temp\nxkey_x86.exeexplorer.exe
User:
admin
Company:
RaonSecure Co., Ltd.
Integrity Level:
MEDIUM
Description:
TouchEn nxKey Keyboard Protector Installer
Exit code:
3221226540
Version:
1, 0, 0, 88
Modules
Images
c:\users\admin\appdata\local\temp\nxkey_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6332C:\Users\admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe "C:\Users\admin\AppData\Local\Temp\~RAPack1269406\FFCert.exe" -nocesC:\Users\admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exe
FFCert.exe
User:
admin
Company:
RaonSecure Co., Ltd.
Integrity Level:
HIGH
Description:
TouchEn nxKey Installer
Exit code:
0
Version:
1, 0, 0, 8
Modules
Images
c:\users\admin\appdata\local\temp\ffcert_raon\firefox_certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6484"C:\Users\admin\AppData\Local\Temp\nxkey_x86.exe" C:\Users\admin\AppData\Local\Temp\nxkey_x86.exe
explorer.exe
User:
admin
Company:
RaonSecure Co., Ltd.
Integrity Level:
HIGH
Description:
TouchEn nxKey Keyboard Protector Installer
Version:
1, 0, 0, 88
Modules
Images
c:\users\admin\appdata\local\temp\nxkey_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6684"C:\Users\admin\AppData\Local\Temp\~RAPack1269406\CrossEX_LocalService_Install.exe" /SC:\Users\admin\AppData\Local\Temp\~RAPack1269406\CrossEX_LocalService_Install.exe
nxkey_x86.exe
User:
admin
Company:
iniLINE Co., Ltd.
Integrity Level:
HIGH
Description:
iniLINE CrossEX Service
Exit code:
0
Version:
1.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\nsn6b70.tmp\nsexec.dll
6964sc description "CrossEX Live Checker" "checking live status of CrossEXService"C:\Windows\SysWOW64\sc.exeCrossEX_LocalService_Install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6976\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 015
Read events
12 007
Write events
8
Delete events
0

Modification events

(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iniLINE\CrossEX\touchenex
Operation:writeName:nxkey
Value:
C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKMain.dll|YpEATZT3tQ0y2jBEFBX9fkUX6vsN4iKHFhl+FU7Ux6w=
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:DisplayName
Value:
TouchEn nxKey with E2E for 32bit
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:UninstallString
Value:
C:\WINDOWS\SysWOW64\CKSetup32.exe /uninstall appm
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:DisplayVersion
Value:
1.0.0.88
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:EstimatedSize
Value:
13889
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:DisplayIcon
Value:
C:\WINDOWS\SysWOW64\CKAgentNXE.exe
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:Publisher
Value:
RaonSecure Co., Ltd.
(PID) Process:(6484) nxkey_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey
Operation:writeName:URLInfoAbout
Value:
http://www.raonsecure.com/
Executable files
30
Suspicious files
17
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6484nxkey_x86.exeC:\Windows\SysWOW64\CKSetup32.exeexecutable
MD5:864F2E048F09D172C157754E73B3CE88
SHA256:974C256252876CEC2D638832B0B80EFAFC30FD4FA162FF3C3D21342F0FEDC689
6684CrossEX_LocalService_Install.exeC:\Users\admin\AppData\Local\Temp\nsn6B70.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
6484nxkey_x86.exeC:\Users\admin\AppData\Local\Temp\~RAPack1269406\CrossEX_LocalService_Install.exeexecutable
MD5:1E1E784F051DE71DF51D6219A07B2725
SHA256:F4F85DC76A9E10FA16D996AEC4885B70AF0D3CD608F8BE4442A7BAB0CB9828A7
6484nxkey_x86.exeC:\Users\admin\AppData\Local\Temp\~RAPack1269406\raon_touchenex_Install.exeexecutable
MD5:8C4855B7132B88D53489A1445C04F9BE
SHA256:3021A1D0D62FC3621731387C7EC498460F645C50CDD8888B54A77D0016DC5133
7160FFCert.exeC:\Users\admin\AppData\Local\Temp\ffcert_raon\bin\certutil.exeexecutable
MD5:0C6B43C9602F4D5AC9DCF907103447C4
SHA256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
6684CrossEX_LocalService_Install.exeC:\Program Files (x86)\iniLINE\CrossEX\crossex\ObCrossEXService.exeexecutable
MD5:27B49B4880C600C543D898E3101809FF
SHA256:536F90DAA722794CBFD2C09B55112C7D4FA441F8832732E6A1C6BCCD198D8166
6684CrossEX_LocalService_Install.exeC:\Program Files (x86)\iniLINE\CrossEX\crossex\CrossEXService.exeexecutable
MD5:C3B6AC5AD2F7CCA8846B5EBA34F5A985
SHA256:346898EA3FA999A208F3700336785804EDF8BC6D0C176138331ABF738A06B88B
6684CrossEX_LocalService_Install.exeC:\Program Files (x86)\iniLINE\CrossEX\crossex\rootCA.crttext
MD5:4B1B31388B4EB3B180E3139452DCF226
SHA256:A938612C2C61B4DCA94D64C7AAE466B66114F67E0116D0104E1C2E34C10AE782
7160FFCert.exeC:\Users\admin\AppData\Local\Temp\ffcert_raon\Firefox_CertUtil.exeexecutable
MD5:B4968BF6ADB62EA03519705CAEDCB842
SHA256:E1B358325EB3D27395DB248BC6A2BCC3F310C91E6D3CA9ACCEFA50F41DB62499
6684CrossEX_LocalService_Install.exeC:\Users\admin\AppData\Local\Temp\nsn6B70.tmp\nsExec.dllexecutable
MD5:3D366250FCF8B755FCE575C75F8C79E4
SHA256:8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted

Threats

No threats detected
Process
Message
nxkey_x86.exe
20141130 fn : C:\Users\admin\AppData\Local\Temp\~RAPack1269406\_Chunk.zip, C:\Users\admin\AppData\Local\Temp\~RAPack1269406 333
nxkey_x86.exe
20141211 1.szResVersion : 3,1,2,61
nxkey_x86.exe
20141130 fn : C:\WINDOWS\system32\CKSetup32.exe, C:\WINDOWS\system32(size=3176944) 577
nxkey_x86.exe
20141130 fn : C:\Users\admin\AppData\Local\Temp\~RAPack1269406\FFCert.exe, C:\Users\admin\AppData\Local\Temp\~RAPack1269406(size=1966504) 577
nxkey_x86.exe
20141211 1.szResVersion : 3,1,0,41
nxkey_x86.exe
20141130 fn : C:\WINDOWS\system32\jrsoftcp.dll, C:\WINDOWS\system32(size=420336) 577
nxkey_x86.exe
20141211 1.szResVersion : 1,3,1,11
nxkey_x86.exe
20141211 2.szResVersion : 1,3,1,11, szVersion : 1, 3, 1, 11, Localfile : C:\WINDOWS\system32\KeySharpCrypto.dll
nxkey_x86.exe
20141211 1.szResVersion : 1,0,0,70
nxkey_x86.exe
20141130 fn : C:\Program Files (X86)\RaonSecure\TouchEn nxKey\TKAppm.dll, C:\Program Files (X86)\RaonSecure\TouchEn nxKey(size=3090944) 577
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nxkey_x86.exe