File name:

WhaleSetupBeta.exe

Full analysis: https://app.any.run/tasks/14475e7e-7952-45c5-b444-2d0b32e2051c
Verdict: Malicious activity
Analysis date: December 26, 2023, 18:04:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5574DCD841A89FE208BCCFD1EBB9D1A8

SHA1:

A91DA5E64B5E9A853D9A44DFA430C37898AD2A02

SHA256:

E63DAE17F846C0D49FAB4F51C4A083E121C43B38B9179E52CB1DD95BA4AED574

SSDEEP:

98304:ZQe0s/qMUw3Onx+Yxx8GkwKeTxt7v3hyFvjF6aU2nE6JgWjlzj7unvArFiygVYhs:y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • wusvc.exe (PID: 2112)
    • Uses Task Scheduler to autorun other applications

      • wusvc.exe (PID: 2112)
    • Actions looks like stealing of personal data

      • whale.exe (PID: 3156)
    • Steals credentials from Web Browsers

      • whale.exe (PID: 3156)
  • SUSPICIOUS

    • Reads the Internet Settings

      • WhaleSetupBeta.exe (PID: 2408)
      • WhaleSetup.exe (PID: 492)
      • setup.exe (PID: 996)
      • whale.exe (PID: 3156)
    • Reads settings of System Certificates

      • WhaleSetup.exe (PID: 492)
      • setup.exe (PID: 996)
      • whale.exe (PID: 3156)
    • Checks Windows Trust Settings

      • setup.exe (PID: 996)
      • WhaleSetup.exe (PID: 492)
    • Reads security settings of Internet Explorer

      • setup.exe (PID: 996)
      • WhaleSetup.exe (PID: 492)
    • Reads Mozilla Firefox installation path

      • whale.exe (PID: 3156)
    • Reads Internet Explorer settings

      • WhaleSetup.exe (PID: 492)
    • Reads Microsoft Outlook installation path

      • WhaleSetup.exe (PID: 492)
  • INFO

    • Create files in a temporary directory

      • WhaleSetupBeta.exe (PID: 2408)
      • install1.exe (PID: 2592)
      • whale.exe (PID: 3156)
      • WhaleSetup.exe (PID: 492)
    • Reads the computer name

      • WhaleSetupBeta.exe (PID: 2408)
      • WhaleSetup.exe (PID: 492)
      • install1.exe (PID: 2592)
      • setup.exe (PID: 996)
      • setup.exe (PID: 2588)
      • wusvc.exe (PID: 2112)
      • whale.exe (PID: 3156)
      • whale.exe (PID: 604)
      • whale.exe (PID: 3188)
      • elevation_service.exe (PID: 3420)
      • whale.exe (PID: 1776)
      • chrmstp.exe (PID: 2896)
      • chrmstp.exe (PID: 2372)
      • whale.exe (PID: 2876)
      • whale.exe (PID: 2644)
      • whale.exe (PID: 3952)
      • whale.exe (PID: 2800)
    • Checks supported languages

      • WhaleSetupBeta.exe (PID: 2408)
      • WhaleSetup.exe (PID: 492)
      • install1.exe (PID: 2592)
      • setup.exe (PID: 996)
      • setup.exe (PID: 1384)
      • setup.exe (PID: 2588)
      • wusvc.exe (PID: 2112)
      • setup.exe (PID: 552)
      • whale.exe (PID: 2824)
      • whale.exe (PID: 3012)
      • whale.exe (PID: 3156)
      • whale.exe (PID: 604)
      • whale.exe (PID: 3352)
      • whale.exe (PID: 3204)
      • whale.exe (PID: 3292)
      • whale.exe (PID: 3636)
      • whale.exe (PID: 3356)
      • elevation_service.exe (PID: 3420)
      • whale.exe (PID: 3188)
      • whale.exe (PID: 3532)
      • whale.exe (PID: 1776)
      • whale.exe (PID: 1056)
      • whale.exe (PID: 2480)
      • whale.exe (PID: 956)
      • whale.exe (PID: 2096)
      • whale.exe (PID: 1792)
      • whale.exe (PID: 3432)
      • whale.exe (PID: 3924)
      • whale.exe (PID: 3488)
      • whale.exe (PID: 3824)
      • whale.exe (PID: 4068)
      • whale.exe (PID: 2072)
      • whale.exe (PID: 3552)
      • whale.exe (PID: 2568)
      • whale.exe (PID: 1956)
      • whale.exe (PID: 3988)
      • whale.exe (PID: 3616)
      • whale.exe (PID: 1808)
      • whale.exe (PID: 2888)
      • whale.exe (PID: 2692)
      • whale.exe (PID: 2060)
      • whale.exe (PID: 1192)
      • chrmstp.exe (PID: 2896)
      • chrmstp.exe (PID: 2376)
      • chrmstp.exe (PID: 2372)
      • chrmstp.exe (PID: 2724)
      • whale.exe (PID: 2940)
      • whale.exe (PID: 2564)
      • whale.exe (PID: 968)
      • whale.exe (PID: 3016)
      • whale.exe (PID: 2876)
      • whale.exe (PID: 1316)
      • whale.exe (PID: 1604)
      • whale.exe (PID: 532)
      • whale.exe (PID: 296)
      • whale.exe (PID: 1380)
      • whale.exe (PID: 2340)
      • whale.exe (PID: 1736)
      • whale.exe (PID: 2156)
      • whale.exe (PID: 1728)
      • whale.exe (PID: 3952)
      • whale.exe (PID: 2644)
      • whale.exe (PID: 2800)
      • whale.exe (PID: 2900)
    • Drops the executable file immediately after the start

      • WhaleSetupBeta.exe (PID: 2408)
      • install1.exe (PID: 2592)
      • setup.exe (PID: 996)
    • Checks proxy server information

      • WhaleSetup.exe (PID: 492)
      • setup.exe (PID: 996)
    • Creates files or folders in the user directory

      • WhaleSetup.exe (PID: 492)
      • setup.exe (PID: 2588)
      • setup.exe (PID: 996)
      • whale.exe (PID: 3156)
      • whale.exe (PID: 3188)
    • Reads the machine GUID from the registry

      • setup.exe (PID: 996)
      • setup.exe (PID: 2588)
      • whale.exe (PID: 3156)
      • elevation_service.exe (PID: 3420)
      • WhaleSetup.exe (PID: 492)
      • chrmstp.exe (PID: 2372)
      • whale.exe (PID: 2876)
      • whale.exe (PID: 2644)
      • whale.exe (PID: 3952)
      • whale.exe (PID: 2800)
    • Application launched itself

      • setup.exe (PID: 996)
      • setup.exe (PID: 2588)
      • whale.exe (PID: 3156)
      • chrmstp.exe (PID: 2896)
      • chrmstp.exe (PID: 2372)
    • Creates files in the program directory

      • setup.exe (PID: 996)
      • setup.exe (PID: 2588)
    • Reads the Internet Settings

      • explorer.exe (PID: 3028)
    • Process checks computer location settings

      • whale.exe (PID: 3156)
      • whale.exe (PID: 3636)
      • whale.exe (PID: 3356)
      • whale.exe (PID: 3532)
      • whale.exe (PID: 3352)
      • whale.exe (PID: 3292)
      • whale.exe (PID: 2156)
    • Executes as Windows Service

      • elevation_service.exe (PID: 3420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:03 07:54:07+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 54784
InitializedDataSize: 2247680
UninitializedDataSize: -
EntryPoint: 0x253c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.2.0.0
ProductVersionNumber: 2.2.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Unicode
CompanyName: Naver Corporation
FileDescription: Naver Whale Beta Installer
FileVersion: 2.2.0.0
InternalName: WhaleSetup.exe
LegalCopyright: Naver Corporation. All rights reserved.
OriginalFileName: WhaleSetup.exe
ProductName: Naver Whale Beta Installer
ProductVersion: 2.2.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
69
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start whalesetupbeta.exe whalesetup.exe install1.exe no specs setup.exe setup.exe no specs setup.exe no specs setup.exe no specs wusvc.exe schtasks.exe no specs schtasks.exe no specs explorer.exe no specs explorer.exe no specs whale.exe no specs whale.exe whale.exe whale.exe no specs whale.exe whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs elevation_service.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs chrmstp.exe no specs whale.exe no specs whale.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whale.exe no specs whalesetupbeta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5660 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:8C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
492"C:\Users\admin\AppData\Local\Temp\{392C3EDD-3456-45D4-9ECF-4E67D0745785}\WhaleSetup.exe" C:\Users\admin\AppData\Local\Temp\{392C3EDD-3456-45D4-9ECF-4E67D0745785}\WhaleSetup.exe
WhaleSetupBeta.exe
User:
admin
Company:
Naver Corporation
Integrity Level:
HIGH
Description:
Naver Whale Beta Installer
Exit code:
3221225547
Version:
2.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{392c3edd-3456-45d4-9ecf-4e67d0745785}\whalesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
532"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:8C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
552C:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://nelo2-col.navercorp.com:443/_store --annotation=channel=beta --annotation=clientid= --annotation=plat=Win32 --annotation=prod=Whale --annotation=ver=3.18.154.13 --initial-client-data=0x1ac,0x1b0,0x1b4,0x180,0x1b8,0x3b5468,0x3b5478,0x3b5484C:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\setup.exesetup.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
HIGH
Description:
Whale Browser Installer
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\users\admin\appdata\local\temp\{3ec799e1-2efe-42d9-be94-b9e75ceb2b98}\cr_ce956.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shell32.dll
604"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:2C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
952"C:\Windows\explorer.exe" C:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\first_run.lnkC:\Windows\explorer.exeWhaleSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
956"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3056 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:8C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
968"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5648 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:8C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
996"C:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\WHALE.PACKED.7Z" --install --verbose-logging --chrome-betaC:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\setup.exe
install1.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
HIGH
Description:
Whale Browser Installer
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\users\admin\appdata\local\temp\{3ec799e1-2efe-42d9-be94-b9e75ceb2b98}\cr_ce956.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shell32.dll
1056"C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3768 --field-trial-handle=1328,i,16741503011973261428,18068112652271907727,131072 /prefetch:8C:\Program Files\Naver\Naver Whale Beta\Application\3.18.154.13\whale.exewhale.exe
User:
admin
Company:
NAVER Corporation
Integrity Level:
LOW
Description:
Whale
Exit code:
0
Version:
3.18.154.13
Modules
Images
c:\program files\naver\naver whale beta\application\3.18.154.13\whale.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\naver\naver whale beta\application\3.18.154.13\whale_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
23 481
Read events
23 317
Write events
163
Delete events
1

Modification events

(PID) Process:(2408) WhaleSetupBeta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2408) WhaleSetupBeta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2408) WhaleSetupBeta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2408) WhaleSetupBeta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(492) WhaleSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
14
Suspicious files
232
Text files
195
Unknown types
0

Dropped files

PID
Process
Filename
Type
492WhaleSetup.exeC:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\install1.exe
MD5:
SHA256:
2408WhaleSetupBeta.exeC:\Users\admin\AppData\Local\Temp\{392C3EDD-3456-45D4-9ECF-4E67D0745785}\WhaleSetup.exeexecutable
MD5:324BA828E3B49C6CE8BF54BA5BAB9106
SHA256:655A2A9C99FC4735229CD19E18E29BBF8E50ADD4527973FEA97E6998596ED9BC
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cbinary
MD5:EF2F2702D1289C9B0AB3C8E82275752A
SHA256:E771F618AE48876032FB099E8288855CC225D93036144D8A47B60917E866CC71
2592install1.exeC:\Users\admin\AppData\Local\Temp\{3EC799E1-2EFE-42D9-BE94-B9E75CEB2B98}\CR_CE956.tmp\WHALE.PACKED.7Z
MD5:
SHA256:
492WhaleSetup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\installer_wave[1].gifimage
MD5:849255A52C0A759FB768BAB0CE07BF3D
SHA256:515B848F7C505C4F13135EFE2D1AFE3A5E8FABD0752015886836F6BFDC703108
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BBbinary
MD5:73E06EBE06AAC81E44357C4B94A4164A
SHA256:89D55C9D10683F235523EB3A2460287C14D5A0E1577801EF19462A22C95D50CA
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1C9A83AB9F171E9B1A0C7DAB0822D25E
SHA256:1B04E28A5CC59E184A9A1E3641EBA78104BA647F3B6686C76BCB298D89B3088B
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_2543588302FC0B794CE8BD7EF1AD49CFbinary
MD5:C2EFB0D4516836C17C22A6684607E37F
SHA256:7BB68B0ED201D3660113C18E7A275A5D59EB93A2CF6EA773434CD9C5D1912858
492WhaleSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_D8F72C791F8434481C8D9FCC9921D88Ebinary
MD5:A7CC661732A52EE1F5E714FE4ECE6413
SHA256:76583B654D4342D744D5EAA0834ADBEF9E0B348828D75AD874B78DAD2BA31A4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
60
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
492
WhaleSetup.exe
GET
200
183.111.26.20:80
http://static.whale.naver.net/installer/installer_wave.gif
unknown
image
687 Kb
492
WhaleSetup.exe
GET
200
183.111.26.20:80
http://static.whale.naver.net/installer/installer_logo.gif
unknown
image
739 Kb
GET
200
184.24.77.174:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f1445f5c4ca66596
unknown
compressed
4.66 Kb
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
unknown
binary
471 b
492
WhaleSetup.exe
GET
200
183.111.26.20:80
http://static.whale.naver.net/installer/installer_logo_loop.gif
unknown
image
240 Kb
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA02%2Byf%2BSj%2FRAdV3sLhAsN0%3D
unknown
binary
471 b
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8cICc7HjNCLWczgReJ3Vo%3D
unknown
binary
471 b
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
binary
471 b
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
binary
727 b
492
WhaleSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAtK5LLgwD2yudu8E5zOu4E%3D
unknown
binary
727 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
492
WhaleSetup.exe
183.111.26.20:80
static.whale.naver.net
Korea Telecom
KR
unknown
492
WhaleSetup.exe
125.209.226.155:443
beta-update.whale.naver.com
NAVER Cloud Corp.
KR
unknown
492
WhaleSetup.exe
184.24.77.174:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
492
WhaleSetup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
492
WhaleSetup.exe
125.209.207.11:443
installer-whale.pstatic.net
NAVER Cloud Corp.
KR
unknown
996
setup.exe
210.89.168.78:443
wbs.naver.com
NAVER Cloud Corp.
KR
unknown
996
setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
static.whale.naver.net
  • 183.111.26.20
  • 211.47.29.87
  • 101.79.137.172
unknown
beta-update.whale.naver.com
  • 125.209.226.155
unknown
ctldl.windowsupdate.com
  • 184.24.77.174
  • 184.24.77.210
  • 93.184.221.240
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
status.geotrust.com
  • 192.229.221.95
unknown
installer-whale.pstatic.net
  • 125.209.207.11
  • 125.209.207.38
  • 211.47.29.200
unknown
wbs.naver.com
  • 210.89.168.78
  • 210.89.168.53
unknown
nelo2-col.navercorp.com
  • 110.93.157.96
unknown
event.whale.naver.com
unknown
service.whale.naver.com
  • 125.209.234.187
unknown

Threats

No threats detected
Process
Message
whale.exe
[1226/180655.552:ERROR:crash_report_database_win.cc(614)] CreateDirectory C:\Users\admin\AppData\Local\Naver\Naver Whale Beta\User Data\Crashpad: The system cannot find the path specified. (0x3)