File name:

6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin

Full analysis: https://app.any.run/tasks/c9642712-9f49-429d-8c59-7452b31e5a58
Verdict: Malicious activity
Analysis date: February 15, 2025, 21:25:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

734F697EDF78F56502E83058EA5A7C34

SHA1:

61B7540BAFA53BD1718E7D206CA6E40F9DB619A0

SHA256:

6C61D83C0FF514400E724693F2431A84970446E5C47894119650015F6A49AF25

SSDEEP:

393216:A7HCKJAHC5hB9fKpLCY52RM1X/6xF+ROM3fvEb/OoR5bQMdGZ:0HCKJAM02RM1XCncP8bWgbQZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Process drops legitimate windows executable

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • The process drops C-runtime libraries

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads security settings of Internet Explorer

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • The process creates files with name similar to system file names

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

  • INFO

    • Create files in a temporary directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads the computer name

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • Checks supported languages

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • Creates files in the program directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)
      • KakaoTalk.exe (PID: 6424)

    • The sample compiled with english language support

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Creates files or folders in the user directory

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Process checks computer location settings

      • 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe (PID: 6900)

    • Reads the machine GUID from the registry

      • KakaoTalk.exe (PID: 6424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe kakaotalk.exe no specs 6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6424"C:\Program Files (x86)\Kakao Talk\KakaoTalk.exe" C:\Program Files (x86)\Kakao Talk\KakaoTalk.exe6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
User:
admin
Company:
KakaoTalk
Integrity Level:
HIGH
Description:
KakaoTalk
Version:
1.0.0.0
Modules
Images
c:\program files (x86)\kakao talk\kakaotalk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6756"C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe" C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6900"C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe" C:\Users\admin\AppData\Local\Temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
691
Read events
691
Write events
0
Delete events
0

Modification events

No data
Executable files
463
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Accessibility.dllexecutable
MD5:65F313E3FF638ADFF4C82DDFFA5ED046
SHA256:EEFEC34261E620CB2C5DB701DB668C952FF11122D99D949CE16F160E4C06F7A9
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\PenImc_cor3.dllexecutable
MD5:F1F6C137B948F4F8A59834E62C418E97
SHA256:DB04CF8EA04DFBB195A0811915B9232917902FD6573F8D39E74F57F0385A49F5
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\PresentationFramework-SystemData.dllexecutable
MD5:3800EABCA8FA78C6E4D222167A34A2DF
SHA256:32DF44539E932B8DD630DF3E9136068BAD34C1FBA706E2DFE830BDAFA05530FF
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\PresentationFramework-SystemCore.dllexecutable
MD5:7085B6A60D485E23E674F21A0F1FE839
SHA256:666DFB21A4C2C6F87CB2AADB6251400B380AB8B8C5174C18E445D58A8309132B
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\PresentationCore.dllexecutable
MD5:D892498E8668B00906E6C8A3411AD76B
SHA256:19003034ACD593C74BDE2996AD4D00BD9546D3D5BDD082A260E16C39320303C0
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\PresentationFramework-SystemDrawing.dllexecutable
MD5:14517BF1FC49DA9A097F9429852D4BEE
SHA256:1B29D4712C52770530F884B99FCA64F7531B6F828453340FF88A9404832B8967
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\D3DCompiler_47_cor3.dllexecutable
MD5:A7349236212B0E5CEC2978F2CFA49A1A
SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\KakaoTalk.dllexecutable
MD5:447CCA14A7AFB0E29FDA47855AA253F0
SHA256:513238ECFD1A3F913EC53C99408399EF975A37D3B16AC87CAB3DA3F7AE47C6EF
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\KakaoTalk.exeexecutable
MD5:C0812D12700104DE21C3A2A365455AA8
SHA256:BC9B062D690DBF6CADF8AEC556E363271E125F5E71FE6D522213AEFFE854A617
69006c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin.exeC:\Program Files (x86)\Kakao Talk\Microsoft.VisualBasic.Core.dllexecutable
MD5:D812BC2A25B80E147242E0F0090AA001
SHA256:E24CAA8AAFB4A6439EE1E3D41260A3658BB8B08E4C0461CEEB229E8555881DAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4652
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3832
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3832
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6996
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4652
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4652
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.16.110.121:443
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
2.16.110.121:443
Akamai International B.V.
DE
unknown
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.164
  • 23.48.23.167
  • 23.48.23.153
  • 23.48.23.155
  • 23.48.23.162
  • 23.48.23.157
  • 23.48.23.161
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.132
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.64
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6c61d83c0ff514400e724693f2431a84970446e5c47894119650015f6a49af25.bin