File name:

6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin

Full analysis: https://app.any.run/tasks/c9642712-9f49-429d-8c59-7452b31e5a58
Verdict: Malicious activity
Analysis date: February 15, 2025, 21:25:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

734F697EDF78F56502E83058EA5A7C34

SHA1:

61B7540BAFA53BD1718E7D206CA6E40F9DB619A0

SHA256:

6C61D83C0FF514400E724693F2431A84970446E5C47894119650015F6A49AF25

SSDEEP:

393216:A7HCKJAHC5hB9fKpLCY52RM1X/6xF+ROM3fvEb/OoR5bQMdGZ:0HCKJAM02RM1XCncP8bWgbQZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Process drops legitimate windows executable

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads security settings of Internet Explorer

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • The process drops C-runtime libraries

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • The process creates files with name similar to system file names

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

  • INFO

    • Create files in a temporary directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Checks supported languages

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • Creates files in the program directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • The sample compiled with english language support

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads the computer name

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • Creates files or folders in the user directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Process checks computer location settings

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads the machine GUID from the registry

      • KakaoTalk.exe (PID: 6424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe kakaotalk.exe no specs 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6424"C:\Program Files (x86)\Kakao Talk\KakaoTalk.exe" C:\Program Files (x86)\Kakao Talk\KakaoTalk.exe6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
User:
admin
Company:
KakaoTalk
Integrity Level:
HIGH
Description:
KakaoTalk
Version:
1.0.0.0
Modules
Images
c:\program files (x86)\kakao talk\kakaotalk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6756"C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe" C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6900"C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe" C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
691
Read events
691
Write events
0
Delete events
0

Modification events

No data
Executable files
463
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\DirectWriteForwarder.dllexecutable
MD5:FE446E3D15228F8B6D20C7AA866180CB
SHA256:9F689DB29CC6E0A1FFA31CF5B4353B5FA0380AD705AE51A8B0DDDE6618E69076
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\HandyControl.dllexecutable
MD5:4F42CF1EC81839AEB84E766144A36D61
SHA256:1BF139D69769FFB69287AF41080008D420DBAC79B225B97D3D93248358D896E3
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\KakaoTalk.dllexecutable
MD5:447CCA14A7AFB0E29FDA47855AA253F0
SHA256:513238ECFD1A3F913EC53C99408399EF975A37D3B16AC87CAB3DA3F7AE47C6EF
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\D3DCompiler_47_cor3.dllexecutable
MD5:A7349236212B0E5CEC2978F2CFA49A1A
SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Microsoft.VisualBasic.Core.dllexecutable
MD5:D812BC2A25B80E147242E0F0090AA001
SHA256:E24CAA8AAFB4A6439EE1E3D41260A3658BB8B08E4C0461CEEB229E8555881DAD
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Accessibility.dllexecutable
MD5:65F313E3FF638ADFF4C82DDFFA5ED046
SHA256:EEFEC34261E620CB2C5DB701DB668C952FF11122D99D949CE16F160E4C06F7A9
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Microsoft.DiaSymReader.Native.amd64.dllexecutable
MD5:A71CD05C01F0FC603C0BD782516F806D
SHA256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Microsoft.CSharp.dllexecutable
MD5:30417AEFF67274C1993C577F71261E15
SHA256:A3074EC7A00E3159B78CD732466C2966457FEE4785BBE59BCE1EC4C6DF289572
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Microsoft.VisualBasic.Forms.dllexecutable
MD5:B42A1ACA45DE2064DFBA865FB159F56D
SHA256:D6F76E35FD67ECDEF3C9E8282D1FB7D123B31A3BB5ABDC59A6E96DACCDC9BADC
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\KakaoTalk.exeexecutable
MD5:C0812D12700104DE21C3A2A365455AA8
SHA256:BC9B062D690DBF6CADF8AEC556E363271E125F5E71FE6D522213AEFFE854A617
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3832
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3832
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6996
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4652
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4652
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.16.110.121:443
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
2.16.110.121:443
Akamai International B.V.
DE
unknown
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.164
  • 23.48.23.167
  • 23.48.23.153
  • 23.48.23.155
  • 23.48.23.162
  • 23.48.23.157
  • 23.48.23.161
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.132
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.64
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin