download: | AppCheckSetup.exe |
Full analysis: | https://app.any.run/tasks/ee0a2f29-72fb-4172-b148-c9de580ffaf0 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 13:54:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 00C32ADC782782A72D1E9CA27A89D196 |
SHA1: | 165ED23F585EE8E9295F2DBE9209EA8346763288 |
SHA256: | 5F78824B8F9E563608DB75E58A6625B78FA145526F972F5CF6FB243F98B0E807 |
SSDEEP: | 196608:VY4ticKDycjsWjhmF1Fnxx1cOqd/vnrBkVxt6RNvrZLl3xBx/2wKA3QFe:VvccyRu1F+vd/9kV6R3h3xX2/A3QFe |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductVersion: | 2.5.18.6 |
---|---|
ProductName: | AppCheck |
LegalCopyright: | © CheckMAL Inc. All rights reserved. |
FileDescription: | AppCheck Installer |
CompanyName: | CheckMAL Inc. |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.5.18.6 |
FileVersionNumber: | 2.5.18.6 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x3489 |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 141824 |
CodeSize: | 25600 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2017:08:01 02:33:59+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Aug-2017 00:33:59 |
Detected languages: |
|
CompanyName: | CheckMAL Inc. |
FileDescription: | AppCheck 설치 프로그램 |
LegalCopyright: | © CheckMAL Inc. All rights reserved. |
ProductName: | AppCheck |
ProductVersion: | 2.5.18.6 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 01-Aug-2017 00:33:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000063D1 | 0x00006400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.47945 |
.rdata | 0x00008000 | 0x0000138E | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14383 |
.data | 0x0000A000 | 0x00020358 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.00074 |
.ndata | 0x0002B000 | 0x0002D000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00058000 | 0x00005DB8 | 0x00005E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.30144 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.2901 | 1072 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 0 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 0 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.64816 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.68372 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.52183 | 160 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.89887 | 238 | UNKNOWN | English - United States | RT_DIALOG |
202 | 2.62197 | 160 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3260 | "C:\Users\admin\AppData\Local\Temp\AppCheckSetup.exe" | C:\Users\admin\AppData\Local\Temp\AppCheckSetup.exe | — | explorer.exe | |||||||||||
User: admin Company: CheckMAL Inc. Integrity Level: MEDIUM Description: AppCheck Installer Exit code: 3221226540 Modules
| |||||||||||||||
2476 | "C:\Users\admin\AppData\Local\Temp\AppCheckSetup.exe" | C:\Users\admin\AppData\Local\Temp\AppCheckSetup.exe | explorer.exe | ||||||||||||
User: admin Company: CheckMAL Inc. Integrity Level: HIGH Description: AppCheck Installer Exit code: 0 Modules
| |||||||||||||||
3420 | "C:\Users\admin\AppData\Local\Temp\nsm787E.tmp\nsB2AA.tmp" "C:\Program Files\CheckMAL\AppCheck\AppCheck.exe" /Register | C:\Users\admin\AppData\Local\Temp\nsm787E.tmp\nsB2AA.tmp | — | AppCheckSetup.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3996 | "C:\Program Files\CheckMAL\AppCheck\AppCheck.exe" /Register | C:\Program Files\CheckMAL\AppCheck\AppCheck.exe | nsB2AA.tmp | ||||||||||||
User: admin Company: CheckMAL Inc. Integrity Level: HIGH Description: AppCheck Anti-Ransomware Exit code: 0 Version: 2.5.18.6 Modules
| |||||||||||||||
3524 | "C:\Users\admin\AppData\Local\Temp\nsm787E.tmp\nsB470.tmp" C:\Windows\system32\sc start appcheck | C:\Users\admin\AppData\Local\Temp\nsm787E.tmp\nsB470.tmp | — | AppCheckSetup.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2344 | C:\Windows\system32\sc start appcheck | C:\Windows\system32\sc.exe | — | nsB470.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2460 | "C:\Program Files\CheckMAL\AppCheck\AppCheckS.exe" | C:\Program Files\CheckMAL\AppCheck\AppCheckS.exe | services.exe | ||||||||||||
User: SYSTEM Company: CheckMAL Inc. Integrity Level: SYSTEM Description: AppCheck Anti-Ransomware Service Version: 2.5.18.6 Modules
| |||||||||||||||
3936 | "C:\Windows\explorer.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AppCheck\AppCheck Anti-Ransomware.lnk" | C:\Windows\explorer.exe | — | AppCheckSetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2788 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3700 | "C:\Program Files\CheckMAL\AppCheck\AppCheck.exe" | C:\Program Files\CheckMAL\AppCheck\AppCheck.exe | explorer.exe | ||||||||||||
User: admin Company: CheckMAL Inc. Integrity Level: MEDIUM Description: AppCheck Anti-Ransomware Version: 2.5.18.6 Modules
|
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\CheckMAL\AppCheck |
Operation: | write | Name: | |
Value: C:\Program Files\CheckMAL\AppCheck | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\CheckMAL\AppCheck |
Operation: | write | Name: | ProductVersion |
Value: 2.5.18.6 | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | AppCheck Tray |
Value: "C:\Program Files\CheckMAL\AppCheck\AppCheck.exe" /Tray | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | DisplayName |
Value: AppCheck Anti-Ransomware | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | DisplayVersion |
Value: 2.5.18.6 | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\CheckMAL\AppCheck\AppCheck.exe | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | Publisher |
Value: CheckMAL Inc. | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\CheckMAL\AppCheck\Uninstall.exe | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | HelpLink |
Value: https://www.checkmal.com/manual/uninstall/ | |||
(PID) Process: | (2476) AppCheckSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AE36751-D1AA-4021-A7D4-85909B56D610} |
Operation: | write | Name: | URLInfoAbout |
Value: https://www.checkmal.com/product/appcheck/ |
PID | Process | Filename | Type | |
---|---|---|---|---|
2476 | AppCheckSetup.exe | C:\ProgramData\CheckMAL\AppCheck\aida.db | — | |
MD5:— | SHA256:— | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\AppCheckD.sys | executable | |
MD5:B31D78F82722B1C0A09D08BDD3FE2570 | SHA256:35CF864219803DB342B6622A976EA14986A360AC50B25908B31B3BB168952EB8 | |||
2476 | AppCheckSetup.exe | C:\Windows\system32\AppCheck32.dll | executable | |
MD5:E85DD7005A63238968AEF5D39D06B056 | SHA256:C4EEB049E006AFE6F1C270ED5470D97429DDE36E9431DE528CFB5EBBA9700CAD | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\AppCheckS.exe | executable | |
MD5:0FA5190DDB7448D6485238E94EEEE772 | SHA256:4DBE7CFC0E89FE4F47EF74A7492E6A888FF50949EDCF052372C752519D34441A | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\Policy.pol | text | |
MD5:5FD35B5C8D2487169BA61CEEDAE22DE7 | SHA256:021AAD2296A2B7403C49DEE4D5B756DC44D203E0B5D82F4DAE3571E25658A2B4 | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\AppCheck.exe | executable | |
MD5:43B3F418CB0D8F956078C650FACC6379 | SHA256:211217537AA6382A3DB2DFF915908D5721C2B70C1439DB975EC049997CBC8BD4 | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\AppCheckC.exe | executable | |
MD5:F5327543EED99AC21C22A811E1211407 | SHA256:1734EAE14BDF1FFBFD832C162ED9F92BDF85F02DABFBEBB4AFB24F704EF0467A | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\Aida.dll | executable | |
MD5:A918AD5270C5DEBABD2ED25E77DFA364 | SHA256:0D14608C5FB829B8FC611BCA981551E1A87B8FEC3C2C176FB3413E2208E60C67 | |||
2476 | AppCheckSetup.exe | C:\Users\admin\AppData\Local\Temp\nsm787E.tmp\System.dll | executable | |
MD5:9625D5B1754BC4FF29281D415D27A0FD | SHA256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448 | |||
2476 | AppCheckSetup.exe | C:\Program Files\CheckMAL\AppCheck\AppCheckB.exe | executable | |
MD5:5C94FB998FB333EAB55133E9DF251318 | SHA256:6408EA3A1B11121FDEED395264A7EF13F8773D37CF61874936487E6094D46CE7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2476 | AppCheckSetup.exe | 172.217.21.238:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2460 | AppCheckS.exe | 172.217.21.238:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2932 | AppCheckC.exe | 52.78.76.217:443 | www.checkmal.com | Amazon.com, Inc. | KR | suspicious |
3700 | AppCheck.exe | 52.78.76.217:443 | www.checkmal.com | Amazon.com, Inc. | KR | suspicious |
2460 | AppCheckS.exe | 52.78.76.217:443 | www.checkmal.com | Amazon.com, Inc. | KR | suspicious |
1416 | AppCheckC.exe | 52.78.76.217:443 | www.checkmal.com | Amazon.com, Inc. | KR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.google-analytics.com |
| whitelisted |
www.checkmal.com |
| suspicious |
Process | Message |
---|---|
AppCheck.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheck.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheckS.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheck.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheck.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheckC.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheckC.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheckC.exe | [CIPCServer::Finalize] Finalize |
AppCheckC.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |
AppCheckC.exe | [CLoggerEx::getLogConfiguration]RegOpenKeyEx failed. 2 |