| File name: | KexSetup_Release_1_1_2_1428.exe |
| Full analysis: | https://app.any.run/tasks/a22a8a20-740c-4513-812f-7045fb299cf2 |
| Verdict: | Malicious activity |
| Analysis date: | February 09, 2025, 10:16:36 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | F424E7BA4308AB2F13299787DDB22915 |
| SHA1: | D3337DBA64453CB4FB3084AA8AF224D40574C5DC |
| SHA256: | EBC942C3C08A44CAB27E4DECCEDB0653B6FBF7EBB11F92F7B23EAE8FFDDCF72B |
| SSDEEP: | 98304:RA664IXggitiEaEurOw1PZOoyX7xtD5coTkRy4BekjaR5VYktN0qzd/6QzhV+3UD:G1ezFd |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process drops C-runtime libraries
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
Executes application which crashes
- KexSetup.exe (PID: 4740)
Executable content was dropped or overwritten
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
Reads security settings of Internet Explorer
- KexSetup.exe (PID: 4384)
Process drops legitimate windows executable
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
Application launched itself
- KexSetup.exe (PID: 4384)
INFO
Checks supported languages
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
- KexSetup.exe (PID: 4740)
- KexSetup.exe (PID: 4384)
The sample compiled with english language support
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
Reads the computer name
- KexSetup.exe (PID: 4740)
- KexSetup.exe (PID: 4384)
Checks proxy server information
- WerFault.exe (PID: 5572)
Creates files in the program directory
- KexSetup.exe (PID: 4740)
Reads the software policy settings
- WerFault.exe (PID: 5572)
Creates files or folders in the user directory
- WerFault.exe (PID: 5572)
Create files in a temporary directory
- KexSetup_Release_1_1_2_1428.exe (PID: 2224)
Process checks computer location settings
- KexSetup.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:06:20 07:00:00+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 28160 |
| InitializedDataSize: | 5632 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7b04 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.2.1428 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Windows NT |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| LegalCopyright: | https://github.com/i486/VxKex |
| FileDescription: | VxKex Setup and Maintenance Tool |
| FileVersion: | 1.1.2.1428 |
| InternalName: | KexSetup |
| OriginalFileName: | KEXSETUP.EXE |
Total processes
122
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2224 | "C:\Users\admin\Desktop\KexSetup_Release_1_1_2_1428.exe" | C:\Users\admin\Desktop\KexSetup_Release_1_1_2_1428.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: VxKex Setup and Maintenance Tool Exit code: 0 Version: 1.1.2.1428 Modules
| |||||||||||||||
| 4384 | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\KexSetup.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\KexSetup.exe | — | KexSetup_Release_1_1_2_1428.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: VxKex Setup and Maintenance Tool Exit code: 0 Version: 1.1.2.1428 Modules
| |||||||||||||||
| 4740 | "C:\Users\admin\AppData\Local\Temp\7z3511A8B0\KexSetup.exe" /SILENTUNATTEND /HWND:524414 /KEXDIR:"C:\Program Files\VxKex" | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\KexSetup.exe | KexSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: VxKex Setup and Maintenance Tool Exit code: 3221225477 Version: 1.1.2.1428 Modules
| |||||||||||||||
| 5572 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4740 -s 560 | C:\Windows\SysWOW64\WerFault.exe | KexSetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 299
Read events
6 284
Write events
12
Delete events
3
Modification events
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex |
| Operation: | write | Name: | KexDir |
Value: C:\Program Files\VxKex | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex |
| Operation: | write | Name: | LogDir |
Value: C:\ProgramData\VxKex\Logs | |||
| (PID) Process: | (5572) WerFault.exe | Key: | \REGISTRY\A\{eebcfacf-1815-5d8f-1688-237ec15df4e5}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\VXsoft\VxKex |
| Operation: | write | Name: | InstalledVersion |
Value: | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VXsoft\VxKex |
| Operation: | write | Name: | LogDir |
Value: C:\Users\admin\AppData\Local\VxKex\Logs | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey} |
| Operation: | write | Name: | GlobalFlag |
Value: 256 | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey} |
| Operation: | write | Name: | VerifierFlags |
Value: | |||
| (PID) Process: | (4740) KexSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey} |
| Operation: | write | Name: | VerifierDlls |
Value: KexDll.dll | |||
| (PID) Process: | (5572) WerFault.exe | Key: | \REGISTRY\A\{eebcfacf-1815-5d8f-1688-237ec15df4e5}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5572) WerFault.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | ClockTimeSeconds |
Value: 9A80A86700000000 | |||
Executable files
39
Suspicious files
5
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core32\VxKexLdr.exe | executable | |
MD5:8EAF0E84C47EA9717C3BCC1FDEBFCA72 | SHA256:F091A3DE5AC14C161CDAEC11E51DF28A65406B5116CBCC4E583E0AAC37D4778D | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core32\KexCfg.exe | executable | |
MD5:DAFB2D3F7BAD758391BC1598C9AD65AE | SHA256:0706767FC51D2115B1B16E2A3CAE438B6DD3715785133223307E6948E04DABA7 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core\Changelog.txt | text | |
MD5:28F06CEE734A8FF74F03BA7742920E17 | SHA256:DC20E31FA0FCB7B9A054940501821D39ED5E844BBDEDA08A8CA9568366B3A532 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core64\KexDll.dll | executable | |
MD5:E88B1BE5B6A96DB028554DC7C841490D | SHA256:3E134E9757CADE330C41954EE99BD7EF43849F1B0A199CF28BD2291110653FF1 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core32\KexShlEx.dll | executable | |
MD5:A1239CFC3FAD5CDBE7ECA45DC8971D8B | SHA256:E26464260EFF1AD46214699D738E3DFA954C83EEF88A6CB8CFCDBF5C134602DA | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core\Application Compatibility List.docx | document | |
MD5:37BF15A43E5A2CC56DCAFAF449264AFE | SHA256:88CB1AC486D3B5C4CDFE43817E5B5C782D5B0D4FFFA048AF4EBCAD6F2DD23848 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core32\VxlView.exe | executable | |
MD5:D552CCCBC0A350CB6A1AF35C98B10DB2 | SHA256:362A6F71CD9A2E39672B079109100AAB5F222E74AC6559919DFB42EC175D7DC9 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Kex32\dwrw10.dll | executable | |
MD5:C35E8C37E5D3BB64D5136B25B99E9D31 | SHA256:02BD331766422B276645A8F398EF515142F3F803B9C59DDA71DAFD7C4D82B5A1 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core32\KexDll.dll | executable | |
MD5:353A634FDC29053C5A156775D75FA110 | SHA256:19D9819565EE609BB5D2DA2BF4C002798AA716C9BCF5B30E9D857F8A86292997 | |||
| 2224 | KexSetup_Release_1_1_2_1428.exe | C:\Users\admin\AppData\Local\Temp\7z3511A8B0\Core64\KexShlEx.dll | executable | |
MD5:4FB14B73C665F346718311063C283940 | SHA256:0B1E2ECA5131DD34ADF26B7826C8E79DF96EEE37D2CA2AA025854DC6BCCC93B9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.90:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3040 | svchost.exe | GET | 200 | 2.16.164.90:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3040 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3040 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.21.65.132:443 | — | Akamai International B.V. | NL | unknown |
3040 | svchost.exe | 2.16.164.90:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.90:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
3040 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |