Edit tour

Windows Analysis Report
flexi.exe

Overview

General Information

Sample name:	flexi.exe
Analysis ID:	1653503
MD5:	a5c8f336f1650812ca490982db01e986
SHA1:	8e3efaf68a85102ef6da4e471bd47b4e12847eda
SHA256:	bbcfc9e5628567631dc81e101282e2d2f402a4921fe8cb0cbaa4d80aa22bd832
Infos:

Detection

Score:	2
Range:	0 - 100
Confidence:	80%

Signatures

Entry point lies outside standard sections

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Classification

Process Tree

System is w11x64_office

flexi.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\flexi.exe" MD5: A5C8F336F1650812CA490982DB01E986)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: flexi.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: browser.events.data.msn.cn

Source: flexi.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: flexi.exe

Static PE information: Section: .AKS1 ZLIB complexity 1.0003226143973214

Source: classification engine

Classification label: clean2.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\flexi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\flexi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: alleg44.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: libgcc_s_dw2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: libstdc++-6.dll	Jump to behavior
Source: C:\Users\user\Desktop\flexi.exe	Section loaded: tvichw32.dll	Jump to behavior

Source: flexi.exe

Static file information: File size 5590503 > 1048576

Source: flexi.exe

Static PE information: Raw size of .AKS2 is bigger than: 0x100000 < 0x3a2a00

Source: initial sample

Static PE information: section where entry point is pointing to: .AKS3

Source: flexi.exe

Static PE information: real checksum: 0x3ff9dc should be: 0x560270

Source: flexi.exe	Static PE information: section name: .AKS1
Source: flexi.exe	Static PE information: section name: .AKS2
Source: flexi.exe	Static PE information: section name: .AKS3

Source: flexi.exe

Static PE information: section name: .AKS1 entropy: 7.999350780667601

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Software Packing	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedscolprdwus21.westus.cloudapp.azure.com	20.189.173.27	true	false		high
browser.events.data.msn.cn	unknown	unknown	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1653503
Start date and time:	2025-04-01 10:47:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	flexi.exe
Detection:	CLEAN
Classification:	clean2.winEXE@1/0@1/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
onedscolprdwus21.westus.cloudapp.azure.com	vigilanz.exe	Get hash	malicious	Unknown	Browse	20.189.173.27
	Setup.exe	Get hash	malicious	Unknown	Browse	20.189.173.27
	VtrZVhhVGV.msi	Get hash	malicious	RedLine	Browse	20.189.173.27

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.103011134576926
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	flexi.exe
File size:	5'590'503 bytes
MD5:	a5c8f336f1650812ca490982db01e986
SHA1:	8e3efaf68a85102ef6da4e471bd47b4e12847eda
SHA256:	bbcfc9e5628567631dc81e101282e2d2f402a4921fe8cb0cbaa4d80aa22bd832
SHA512:	5030b3aa1a3007ee2a93adfcb9cb34cceab15456b57e3db832d83f902761693e7dd5be98b9ef58477b9c0605e2dde8e59e7a184dcc1f4a9d6af2fb46eaa4d20f
SSDEEP:	98304:L/3Ec2rVbet4oevgWCn0dTVpmUCyhoSChvJld95N0:L/3d2r5etTBaVp9CQ36Jld9j0
TLSH:	2B4612B076A4DD4DD941063D5DB6C2DA2B39BD41CF22575332E07F6FAEBA2C22E51202
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.......C...................."...._...........@...........................`.......?....... ............................

File Icon


Icon Hash:	90969696969696a8

Static PE Info

General

Entrypoint:	0x9ff000
Entrypoint Section:	.AKS3
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x2E2E350 [Thu Jul 15 11:02:40 1971 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	36eccbb6fdd5e9f03b588dff2b113ed7

Entrypoint Preview

Instruction
push edi
push esi
push ebx
push ecx
call 00007F1E80B78726h
mov edi, 05720558h
add byte ptr [eax], al
push eax
mov esi, dword ptr [eax]
add esi, eax
mov edi, esi
lodsd
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add ecx, edi
mov esi, ecx
mov ecx, eax
push edi
push ecx
call 00007F1E80B78726h
mov ecx, 47C2815Ah
add eax, 128A0000h
sub ecx, 01h
jne 00007F1E80B78723h
or dword ptr [ebx+edx*8+0224850Fh], 00810000h
jmp 00007F1E80B7872Bh
jc 00007F1E80B789B0h
jmp 00007F1E80B788E1h
cmp ecx, edx
jnc 00007F1E80B7876Bh
mov ebx, ecx
lodsb
inc ecx
jne 00007F1E80B78723h
mov eax, 850FD38Ch
dec ebp
add al, byte ptr [eax]
add byte ptr [eax+7209EBC1h], bh
xor al, 24h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7000	0x458	.AKS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x600000	0x284	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5ff5a0	0x18	.AKS3
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb71a4	0x88	.AKS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.AKS1	0x1000	0xb6000	0x54000	9905ad0b42d73b5c771f64fab3fe6f9e	False	1.0003226143973214	OpenPGP Secret Key	7.999350780667601	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.AKS2	0xb7000	0x548000	0x3a2a00	8f5f2bbcdae3c6d5fb595a4efb94d620	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.AKS3	0x5ff000	0x5e3	0x600	7d2ab3aa7e8ca18288bd1bd2eecaa522	False	0.798828125	data	6.355007480390883	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x600000	0x284	0x400	8179e4231cf9119c315519b983403345	False	0.3447265625	data	3.911572949878916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x600058	0x22c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5503597122302158

Imports

DLL	Import
KERNEL32	GetModuleHandleA, GetProcAddress
user32.dll	GetDC
advapi32.dll	GetAce
iphlpapi.dll	GetIfTable
shell32.dll	ILFree
hid.dll	HidP_GetCaps
setupapi.dll	SetupInstallFileA
dhcpcsvc.dll	DhcpIsEnabled
dhcpcsvc6.dll	Dhcpv6IsEnabled
psapi.dll	EnumProcesses
wsock32.dll	bind
alleg44.dll	blit
libgcc_s_dw2-1.dll	__udivdi3
libstdc++-6.dll	_Znaj
TVicHW32.dll	_MaskIRQ@8
msvcrt.dll	cos
GDI32.dll	DeleteDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2025 10:48:08.798752069 CEST	59393	53	192.168.2.24	1.1.1.1
Apr 1, 2025 10:48:08.883622885 CEST	53	59393	1.1.1.1	192.168.2.24
Apr 1, 2025 10:48:55.385200024 CEST	53	56394	162.159.36.2	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 1, 2025 10:48:08.798752069 CEST	192.168.2.24	1.1.1.1	0x2782	Standard query (0)	browser.events.data.msn.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 1, 2025 10:48:08.883622885 CEST	1.1.1.1	192.168.2.24	0x2782	No error (0)	browser.events.data.msn.cn	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 1, 2025 10:48:08.883622885 CEST	1.1.1.1	192.168.2.24	0x2782	No error (0)	global.asimov.events.data.trafficmanager.net	onedscolprdwus21.westus.cloudapp.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 1, 2025 10:48:08.883622885 CEST	1.1.1.1	192.168.2.24	0x2782	No error (0)	onedscolprdwus21.westus.cloudapp.azure.com		20.189.173.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• flexi.exe

Click to jump to process

Memory Usage

• flexi.exe

Click to jump to process

System Behavior

Analysis Process: flexi.exePID: 6600, Parent PID: 2712

Function Logs