File name:	nex.exe
Full analysis:	https://app.any.run/tasks/b897b0ac-1795-4209-b150-796673b17f12
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 29, 2021, 08:02:34
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	installer trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	FEFBF3A6998A24CE1D180ED9F4BA88CA
SHA1:	BD0C5BDB67446CA6D927B6F34F71336A5EDB1977
SHA256:	F5EC089660FF7654E490F777F1474DE95854B471CD7B5820C3325B4F611FC6DC
SSDEEP:	196608:bgrOn7FE6icOcKTQWwR9CtmwRgWn7v/IZ:bgt7c+twTnAgYS

.exe	\|	InstallShield setup (64.5)
.scr	\|	Windows screen saver (19.6)
.exe	\|	Win32 Executable (generic) (6.7)
.exe	\|	Win16/32 Executable Delphi generic (3.1)
.exe	\|	Generic Win/DOS Executable (2.9)

ProductVersion:	2.0.8
ProductName:	QQMusic
OriginalFileName:	QQMusicDownloader.exe
LegalCopyright:	Copyright (C) 1998-2017 Tencent. All Rights Reserved
InternalName:	QQMusicDownloader.exe
FileVersion:	2.0.8
FileDescription:	QQ音乐下载器
CompanyName:	Tencent
CharacterSet:	Unicode
LanguageCode:	Chinese (Simplified)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	2.0.8.0
FileVersionNumber:	2.0.8.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x83a10
UninitializedDataSize:	-
InitializedDataSize:	156160
CodeSize:	535552
LinkerVersion:	2.25
PEType:	PE32
TimeStamp:	1992:06:20 00:22:17+02:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	19-Jun-1992 22:22:17
Detected languages:	Chinese - PRC Process Default Language
CompanyName:	Tencent
FileDescription:	QQ音乐下载器
FileVersion:	2.0.8
InternalName:	QQMusicDownloader.exe
LegalCopyright:	Copyright (C) 1998-2017 Tencent. All Rights Reserved
OriginalFilename:	QQMusicDownloader.exe
ProductName:	QQMusic
ProductVersion:	2.0.8

Magic number:	MZ
Bytes on last page of file:	0x0050
Pages in file:	0x0002
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x000F
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x001A
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	11
Time date stamp:	19-Jun-1992 22:22:17
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_BYTES_REVERSED_HI IMAGE_FILE_BYTES_REVERSED_LO IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
CODE	0x00001000	0x00082A58	0x00082C00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.52189
DATA	0x00084000	0x000015FC	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.10141
BSS	0x00086000	0x00000FD9	0x00000000	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.idata	0x00087000	0x000026E2	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.94954
.tls	0x0008A000	0x00000024	0x00000000	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.rdata	0x0008B000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED	0.199108
.reloc	0x000AF000	0x0067BF4C	0x0067C000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99994
.rsrc	0x00096000	0x00018950	0x00018A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED	6.37401
	0x0072B000	0x00000F19	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
wwwekuc	0x0072C000	0x00000200	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.20341

Title	Entropy	Size	Codepage	Language	Type
1	3.49918	768	Latin 1 / Western European	Process Default Language	RT_VERSION
2	5.15896	9832	Latin 1 / Western European	Process Default Language	RT_ICON
3	3.57285	4392	Latin 1 / Western European	Process Default Language	RT_ICON
4	4.78954	2488	Latin 1 / Western European	Process Default Language	RT_ICON
5	4.03945	1128	Latin 1 / Western European	Process Default Language	RT_ICON
6	2.89005	744	Latin 1 / Western European	Process Default Language	RT_ICON
7	2.54353	296	Latin 1 / Western European	Process Default Language	RT_ICON
8	4.35478	3752	Latin 1 / Western European	Process Default Language	RT_ICON
9	5.17501	2216	Latin 1 / Western European	Process Default Language	RT_ICON
10	3.47748	1384	Latin 1 / Western European	Process Default Language	RT_ICON


(PID) Process:	(1232) nex.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1232) nex.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1232) nex.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1232) nex.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2308) VPDN_LU.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2308) VPDN_LU.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2308) VPDN_LU.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2308) VPDN_LU.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2308) VPDN_LU.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	nav
Value: "C:\ProgramData\nav\nav.exe"
(PID) Process:	(4244) svchost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

PID	Process	Filename		Type
2308	VPDN_LU.exe	C:\ProgramData\nav\navlu.dll		executable
		MD5:—	SHA256:—
1232	nex.exe	C:\Users\admin\Desktop\VPDN_LU.exe		executable
		MD5:—	SHA256:—
1232	nex.exe	C:\Users\admin\Desktop\navlu.dll		executable
		MD5:—	SHA256:—
4760	makecab.exe	C:\Users\admin\AppData\Local\Temp\cab_4760_2		binary
		MD5:—	SHA256:—
4760	makecab.exe	C:\Users\admin\AppData\Local\Temp\cab_4760_3		binary
		MD5:—	SHA256:—
4760	makecab.exe	C:\Users\admin\AppData\Local\Temp\cab_4760_4		binary
		MD5:—	SHA256:—
4760	makecab.exe	C:\Users\admin\Desktop\tcmsetup.msu		compressed
		MD5:—	SHA256:—
4760	makecab.exe	C:\Users\admin\AppData\Local\Temp\cab_4760_5		binary
		MD5:—	SHA256:—
4244	svchost.exe	C:\ProgramData\nav\config.ini		text
		MD5:—	SHA256:—
1232	nex.exe	C:\Users\admin\Desktop\navlu.dll.url		binary
		MD5:—	SHA256:—


advapi32.dll
comdlg32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll

PID	Process	IP	Domain	ASN	CN	Reputation
4244	svchost.exe	23.106.124.116:443	update.fasterwall.com	—	SG	malicious
2876	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	Microsoft Corporation	GB	whitelisted

Domain	IP	Reputation
update.fasterwall.com	23.106.124.116	malicious
self.events.data.microsoft.com	52.168.112.66	whitelisted
dns.msftncsi.com	131.107.255.255	shared
settings-win.data.microsoft.com	51.124.78.146	whitelisted

General Info

nex.exe

FEFBF3A6998A24CE1D180ED9F4BA88CA

BD0C5BDB67446CA6D927B6F34F71336A5EDB1977

F5EC089660FF7654E490F777F1474DE95854B471CD7B5820C3325B4F611FC6DC

196608:bgrOn7FE6icOcKTQWwR9CtmwRgWn7v/IZ:bgt7c+twTnAgYS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops executable file immediately after starts

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes the autorun value in the registry

Uses SVCHOST.EXE for hidden code execution

SUSPICIOUS

Checks supported languages

Application launched itself

Drops a file with a compile date too recent

Drops a file with too old compile date

Drops a file that was compiled in debug mode

Reads the computer name

Executable content was dropped or overwritten

Creates files in the program directory

INFO

Checks supported languages

Reads the computer name

Reads settings of System Certificates

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings