File name: | KakaoTalk(PC_ver) Setup.exe |
Full analysis: | https://app.any.run/tasks/b37ea77f-e000-4356-a70a-ffa851e97075 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 06:29:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F59F4D5B85CC5EA411BD9B50DB763977 |
SHA1: | FCAABFC78DA962617585CE64DE270E1256BE1134 |
SHA256: | 1DCEA29C7359D85DC473F300137E7100D18B19486F6852C71274F89C3531DA40 |
SSDEEP: | 49152:zLn7IbQRDku7FPrHsbGdQD0LomCK9EI1yh+a46gzY:H7Vr7FPrHsq2D0smCK9EI1yh+ayY |
.exe | | | Win32 Executable (generic) (3.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (1.6) |
.exe | | | DOS Executable Generic (1.5) |
ProductVersion: | 1.1.0.1 |
---|---|
OriginalFileName: | utildown.exe |
InternalName: | utildown.exe |
FileVersion: | 1.1.0.1 |
FileDescription: | utildown |
CharacterSet: | Unicode |
LanguageCode: | Korean |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.1.0.1 |
FileVersionNumber: | 1.1.0.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x151398 |
UninitializedDataSize: | - |
InitializedDataSize: | 643072 |
CodeSize: | 1573376 |
LinkerVersion: | 14.24 |
PEType: | PE32 |
TimeStamp: | 2020:02:13 12:18:41+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Feb-2020 11:18:41 |
Detected languages: |
|
Debug artifacts: |
|
FileDescription: | utildown |
FileVersion: | 1.1.0.1 |
InternalName: | utildown.exe |
OriginalFilename: | utildown.exe |
ProductVersion: | 1.1.0.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 13-Feb-2020 11:18:41 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00180051 | 0x00180200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51897 |
.rdata | 0x00182000 | 0x000573DE | 0x00057400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.9879 |
.data | 0x001DA000 | 0x0000ACE0 | 0x00005E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.70041 |
.rsrc | 0x001E5000 | 0x0001CFCC | 0x0001D000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.1799 |
.reloc | 0x00202000 | 0x00022C64 | 0x00022E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.56478 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.10864 | 807 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.52594 | 1640 | Latin 1 / Western European | Korean - Korea | RT_ICON |
3 | 3.83129 | 744 | Latin 1 / Western European | Korean - Korea | RT_ICON |
4 | 3.14704 | 296 | Latin 1 / Western European | Korean - Korea | RT_ICON |
5 | 5.38089 | 3752 | Latin 1 / Western European | Korean - Korea | RT_ICON |
6 | 5.83809 | 2216 | Latin 1 / Western European | Korean - Korea | RT_ICON |
7 | 3.73454 | 114 | Latin 1 / Western European | Korean - Korea | RT_STRING |
8 | 4.90831 | 9640 | Latin 1 / Western European | Korean - Korea | RT_ICON |
9 | 5.26905 | 4264 | Latin 1 / Western European | Korean - Korea | RT_ICON |
10 | 5.03088 | 1128 | Latin 1 / Western European | Korean - Korea | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
IMM32.dll |
KERNEL32.dll |
MSIMG32.dll |
NETAPI32.dll |
OLEACC.dll |
OLEAUT32.dll |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2516 | "C:\Users\admin\AppData\Local\Temp\KakaoTalk(PC_ver) Setup.exe" | C:\Users\admin\AppData\Local\Temp\KakaoTalk(PC_ver) Setup.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: utildown Exit code: 3221226540 Version: 1.1.0.1 | ||||
780 | "C:\Users\admin\AppData\Local\Temp\KakaoTalk(PC_ver) Setup.exe" | C:\Users\admin\AppData\Local\Temp\KakaoTalk(PC_ver) Setup.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: utildown Version: 1.1.0.1 |
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (780) KakaoTalk(PC_ver) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
780 | KakaoTalk(PC_ver) Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\file_info[1].php | xml | |
MD5:A254239F36AB8755DDB8E9DB983861F1 | SHA256:4AB650386596D55D2BE99FA934165E93FBF8C6CBE6002842964DD9653D567832 | |||
780 | KakaoTalk(PC_ver) Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\module[1].txt | text | |
MD5:901FC129F1FFE25C114E2DFC49BA8733 | SHA256:AF50CD8F96E7E15B9D7D23E789A651DA55C6045FF4F53F43DDF70CA6A33A74B9 | |||
780 | KakaoTalk(PC_ver) Setup.exe | C:\Users\admin\AppData\Local\Temp\autA638.tmp | xml | |
MD5:A254239F36AB8755DDB8E9DB983861F1 | SHA256:4AB650386596D55D2BE99FA934165E93FBF8C6CBE6002842964DD9653D567832 | |||
780 | KakaoTalk(PC_ver) Setup.exe | C:\Users\admin\AppData\Local\Temp\autA772.tmp | text | |
MD5:901FC129F1FFE25C114E2DFC49BA8733 | SHA256:AF50CD8F96E7E15B9D7D23E789A651DA55C6045FF4F53F43DDF70CA6A33A74B9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
780 | KakaoTalk(PC_ver) Setup.exe | GET | 200 | 13.124.78.43:80 | http://utildown.com/request_update/new_live.php?mac=12:a9:86:6c:77:de&pcode=1001 | KR | — | — | malicious |
780 | KakaoTalk(PC_ver) Setup.exe | GET | — | 114.108.129.22:80 | http://down.iconmania.co.kr/setup_icon006_silent.exe | KR | — | — | malicious |
780 | KakaoTalk(PC_ver) Setup.exe | GET | 200 | 13.124.78.43:80 | http://utildown.com/admin/setup/data/utildown/module.txt?mac=12:a9:86:6c:77:de&pcode=1001 | KR | text | 171 b | malicious |
780 | KakaoTalk(PC_ver) Setup.exe | GET | 200 | 13.124.78.43:80 | http://utildown.com/request_update/file_info.php?file_no=30074PA | KR | xml | 238 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
780 | KakaoTalk(PC_ver) Setup.exe | 114.108.129.22:80 | down.iconmania.co.kr | LG DACOM Corporation | KR | malicious |
780 | KakaoTalk(PC_ver) Setup.exe | 13.124.78.43:80 | utildown.com | Amazon.com, Inc. | KR | malicious |
Domain | IP | Reputation |
---|---|---|
utildown.com |
| malicious |
dns.msftncsi.com |
| shared |
down.iconmania.co.kr |
| malicious |