Malware analysis KexSetup_Release_1_1_2_1428.exe Malicious activity

Add for printing

File name:	KexSetup_Release_1_1_2_1428.exe
Full analysis:	https://app.any.run/tasks/9dec4d57-870e-4f63-a1c6-c65702b9ec74
Verdict:	Malicious activity
Analysis date:	February 12, 2025, 14:07:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	F424E7BA4308AB2F13299787DDB22915
SHA1:	D3337DBA64453CB4FB3084AA8AF224D40574C5DC
SHA256:	EBC942C3C08A44CAB27E4DECCEDB0653B6FBF7EBB11F92F7B23EAE8FFDDCF72B
SSDEEP:	98304:RA664IXggitiEaEurOw1PZOoyX7xtD5coTkRy4BekjaR5VYktN0qzd/6QzhV+3UD:G1ezFd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - KexSetup_Release_1_1_2_1428.exe (PID: 6348)
- Process drops legitimate windows executable
  - KexSetup_Release_1_1_2_1428.exe (PID: 6348)
- The process drops C-runtime libraries
  - KexSetup_Release_1_1_2_1428.exe (PID: 6348)
- Reads security settings of Internet Explorer
  - KexSetup.exe (PID: 6388)
- Executes application which crashes
  - KexSetup.exe (PID: 6672)
- Application launched itself
  - KexSetup.exe (PID: 6388)
INFO
- The sample compiled with english language support
  - KexSetup_Release_1_1_2_1428.exe (PID: 6348)
- Checks supported languages
  - KexSetup.exe (PID: 6388)
  - KexSetup.exe (PID: 6672)
  - KexSetup_Release_1_1_2_1428.exe (PID: 6348)
- Reads the computer name
  - KexSetup.exe (PID: 6672)
  - KexSetup.exe (PID: 6388)
- Process checks computer location settings
  - KexSetup.exe (PID: 6388)
- Creates files in the program directory
  - KexSetup.exe (PID: 6672)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:06:20 07:00:00+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	28160
InitializedDataSize:	5632
UninitializedDataSize:	-
EntryPoint:	0x7b04
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.1.2.1428
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
LegalCopyright:	https://github.com/i486/VxKex
FileDescription:	VxKex Setup and Maintenance Tool
FileVersion:	1.1.2.1428
InternalName:	KexSetup
OriginalFileName:	KEXSETUP.EXE

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

129

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6348

"C:\Users\admin\Desktop\KexSetup_Release_1_1_2_1428.exe"

C:\Users\admin\Desktop\KexSetup_Release_1_1_2_1428.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

VxKex Setup and Maintenance Tool

Exit code:

Version:

1.1.2.1428

Modules

Images
c:\users\admin\desktop\kexsetup_release_1_1_2_1428.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6388

C:\Users\admin\AppData\Local\Temp\7z303B18CC\KexSetup.exe

—

KexSetup_Release_1_1_2_1428.exe

User:

admin

Integrity Level:

MEDIUM

Description:

VxKex Setup and Maintenance Tool

Exit code:

Version:

1.1.2.1428

Modules

Images
c:\users\admin\appdata\local\temp\7z303b18cc\kexsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

6672

"C:\Users\admin\AppData\Local\Temp\7z303B18CC\KexSetup.exe" /SILENTUNATTEND /HWND:328372 /KEXDIR:"C:\Program Files\VxKex"

C:\Users\admin\AppData\Local\Temp\7z303B18CC\KexSetup.exe

KexSetup.exe

User:

admin

Integrity Level:

HIGH

Description:

VxKex Setup and Maintenance Tool

Exit code:

3221225477

Version:

1.1.2.1428

6792

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6672 -s 568

C:\Windows\SysWOW64\WerFault.exe

KexSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

3 460

Read events

3 445

Write events

Delete events

Modification events


(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex
Operation:	write	Name:	InstalledVersion
Value:
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex
Operation:	write	Name:	KexDir
Value: C:\Program Files\VxKex
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex
Operation:	write	Name:	LogDir
Value: C:\ProgramData\VxKex\Logs
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VXsoft\VxKex
Operation:	write	Name:	LogDir
Value: C:\Users\admin\AppData\Local\VxKex\Logs
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}
Operation:	write	Name:	GlobalFlag
Value: 256
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}
Operation:	write	Name:	VerifierFlags
Value:
(PID) Process:	(6672) KexSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}
Operation:	write	Name:	VerifierDlls
Value: KexDll.dll
(PID) Process:	(6792) WerFault.exe	Key:	\REGISTRY\A\{9ff2345f-ba19-de14-4e38-a3e213c322c1}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(6792) WerFault.exe	Key:	\REGISTRY\A\{9ff2345f-ba19-de14-4e38-a3e213c322c1}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6792) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:	write	Name:	ClockTimeSeconds
Value: 13ABAC6700000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core\Application Compatibility List.docx		document
		MD5:37BF15A43E5A2CC56DCAFAF449264AFE	SHA256:88CB1AC486D3B5C4CDFE43817E5B5C782D5B0D4FFFA048AF4EBCAD6F2DD23848
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core\Changelog.txt		text
		MD5:28F06CEE734A8FF74F03BA7742920E17	SHA256:DC20E31FA0FCB7B9A054940501821D39ED5E844BBDEDA08A8CA9568366B3A532
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core64\KexShlEx.dll		executable
		MD5:4FB14B73C665F346718311063C283940	SHA256:0B1E2ECA5131DD34ADF26B7826C8E79DF96EEE37D2CA2AA025854DC6BCCC93B9
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core32\VxKexLdr.exe		executable
		MD5:8EAF0E84C47EA9717C3BCC1FDEBFCA72	SHA256:F091A3DE5AC14C161CDAEC11E51DF28A65406B5116CBCC4E583E0AAC37D4778D
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core32\KexShlEx.dll		executable
		MD5:A1239CFC3FAD5CDBE7ECA45DC8971D8B	SHA256:E26464260EFF1AD46214699D738E3DFA954C83EEF88A6CB8CFCDBF5C134602DA
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core32\CpiwBypa.dll		executable
		MD5:550B25FEBDE5B4D75808CBF06AFA6892	SHA256:9CFCDB7CA2FF11123458DB26F976B2E46485B26EBD6AAC665021C2C2641FB24B
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core32\KexCfg.exe		executable
		MD5:DAFB2D3F7BAD758391BC1598C9AD65AE	SHA256:0706767FC51D2115B1B16E2A3CAE438B6DD3715785133223307E6948E04DABA7
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core64\CpiwBypa.dll		executable
		MD5:E11AE0300945BAE57537EA11762935C2	SHA256:729DF5CB00902D7D0519CA78DB7760C36247DD5680B918A62BC167EB8831697A
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Kex32\KxAdvapi.dll		executable
		MD5:50F7D66A8B7F97388DEA357F9C469A6D	SHA256:AAB2E6091D0972F5B684826F1037925EF4C5F9D6A4281A998957EABA023DB61C
6348	KexSetup_Release_1_1_2_1428.exe	C:\Users\admin\AppData\Local\Temp\7z303B18CC\Core32\VxlView.exe		executable
		MD5:D552CCCBC0A350CB6A1AF35C98B10DB2	SHA256:362A6F71CD9A2E39672B079109100AAB5F222E74AC6559919DFB42EC175D7DC9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.21.245.180:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	23.58.102.107:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6792	WerFault.exe	GET	200	2.21.245.180:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6792	WerFault.exe	GET	200	23.58.102.107:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	95.100.248.219:443	www.bing.com	Akamai International B.V.	NL	whitelisted
—	—	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
—	—	2.21.245.180:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	23.58.102.107:80	www.microsoft.com	AKAMAI-AS	IN	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5388	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6792	WerFault.exe	20.189.173.20:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1804	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.bing.com	95.100.248.219	whitelisted
google.com	142.250.185.142	whitelisted
ocsp.digicert.com	23.54.109.203	whitelisted
crl.microsoft.com	2.21.245.180	whitelisted
www.microsoft.com	23.58.102.107	whitelisted
watson.events.data.microsoft.com	20.189.173.20	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

KexSetup_Release_1_1_2_1428.exe

F424E7BA4308AB2F13299787DDB22915

D3337DBA64453CB4FB3084AA8AF224D40574C5DC

EBC942C3C08A44CAB27E4DECCEDB0653B6FBF7EBB11F92F7B23EAE8FFDDCF72B

98304:RA664IXggitiEaEurOw1PZOoyX7xtD5coTkRy4BekjaR5VYktN0qzd/6QzhV+3UD:G1ezFd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Reads security settings of Internet Explorer

Executes application which crashes

Application launched itself

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings