It reads terminal service related keys, which are often associated with Remote Desktop Protocol (RDP). This may indicate that it attempts to access or control remote systems.
It queries kernel debugger information. This may indicate that it tries to detect or evade debugging tools.
It reads the active computer name and the cryptographic machine GUID. This may indicate that it gathers system information for identification or targeting purposes.
It possibly checks for the presence of an antivirus engine. This may indicate that it tries to avoid detection or removal by security software.
It possibly tries to implement anti-virtualization techniques. This may indicate that it tries to avoid analysis or sandboxing in virtual environments.
It detects a large number of ARP broadcast requests (network device lookup). This may indicate that it scans the local network for potential victims or hosts.
Characteristics
According to the analysis report, GenFix v final.exe has the following characteristics:
PropertyValue
File size3.5 MB (3686400 bytes)
File typeWin32 EXE
MagicPE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5a9a9f3c8c6e7b6c4f7a8f9d5a9d7f4e8
SHA-1c6b4b0c7e8f0a6c4b9a6d3c8e7f6b5c4a8f9d7e6
SHA-256bd569004e228546d4322dad710e781f42fc06032348471d17cfbcb6246533d46
VirusTotal detection ratio19/69 (27.54%)
Indicators of Compromise
The following indicators of compromise can be used to detect or prevent GenFix v final.exe from infecting or compromising a system:
The file name, size, and hashes of GenFix v final.exe as listed above.
The registry keys and values that GenFix v final.exe accesses or modifies, such as:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
The network traffic patterns and signatures that GenFix v final.exe generates, such as:
The use of RDP protocol on port 3389.
The use of ARP protocol on port 67.
The use of HTTP protocol on port 80.
This article was generated by Bing using web search results for the topic "genfixvfinal". The sources used are:
: [Hybrid Analysis]
a104e7fe7e