| File name: | DACEASY ACCOUNTING V9.10 NETWORK.7z |
| Full analysis: | https://app.any.run/tasks/79a6ba7b-3e5e-4b07-b058-7f3ada850ae4 |
| Verdict: | Malicious activity |
| Analysis date: | March 19, 2024, 19:07:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 89E6C8AB394C5F7808D54A02CBD43681 |
| SHA1: | A076C1DBCA8C0C203E49CB7B7D7827421C5CBA9B |
| SHA256: | 148400546C0C007A56791CBB21D2986C6C7F4CF1C03C72E978CB3EBC52EA3546 |
| SSDEEP: | 98304:p8GW8blApj2YYeGdEua96EOLPktJizxArAGzdML5NQDxjd4TMc2Ccf3xvjWA0J0L:X/oQVMCQ5 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3500)
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
SUSPICIOUS
Executable content was dropped or overwritten
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
Starts application with an unusual extension
- Setup.exe (PID: 2148)
Process drops legitimate windows executable
- _INS5576._MP (PID: 1560)
Creates file in the systems drive root
- _ISDel.exe (PID: 3068)
- W32mkde.exe (PID: 3520)
Creates a software uninstall entry
- _INS5576._MP (PID: 1560)
Reads the Windows owner or organization settings
- _INS5576._MP (PID: 1560)
Changes default file association
- WINWORD.EXE (PID: 2724)
Non-standard symbols in registry
- WINWORD.EXE (PID: 2724)
Application launched itself
- WINWORD.EXE (PID: 2724)
Creates/Modifies COM task schedule object
- WINWORD.EXE (PID: 2724)
Reads the Internet Settings
- HelpPane.exe (PID: 2396)
Reads Microsoft Outlook installation path
- HelpPane.exe (PID: 2396)
Reads Internet Explorer settings
- HelpPane.exe (PID: 2396)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3500)
Manual execution by a user
- SETUP.EXE (PID: 3180)
- SETUP.EXE (PID: 2072)
- wmpnscfg.exe (PID: 2564)
- DEA9.exe (PID: 2324)
Checks supported languages
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
- _ISDel.exe (PID: 3068)
- wmpnscfg.exe (PID: 2564)
- DEA9.exe (PID: 2324)
- W32mkde.exe (PID: 3520)
Create files in a temporary directory
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
Reads the computer name
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
- _ISDel.exe (PID: 3068)
- wmpnscfg.exe (PID: 2564)
- DEA9.exe (PID: 2324)
- W32mkde.exe (PID: 3520)
Reads Microsoft Office registry keys
- _INS5576._MP (PID: 1560)
Creates files in the program directory
- _INS5576._MP (PID: 1560)
The process uses the downloaded file
- WINWORD.EXE (PID: 2724)
Reads the machine GUID from the registry
- winhlp32.exe (PID: 1936)
- HelpPane.exe (PID: 2396)
Reads security settings of Internet Explorer
- HelpPane.exe (PID: 2396)
Creates files or folders in the user directory
- W32mkde.exe (PID: 3520)
Checks proxy server information
- HelpPane.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
59
Monitored processes
13
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1560 | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | Setup.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield Engine Exit code: 0 Version: 5, 53, 168, 0 Modules
| |||||||||||||||
| 1936 | winhlp32.exe -x | C:\Windows\winhlp32.exe | — | DEA9.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Winhlp32 Stub Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | "C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK\SETUP.EXE" | C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK\SETUP.EXE | explorer.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: PackageForTheWeb Stub Exit code: 0 Version: 2.02.001 Modules
| |||||||||||||||
| 2148 | "C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\Setup.exe" /SMS | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\Setup.exe | SETUP.EXE | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit Setup Launcher Exit code: 0 Version: 5, 52, 164, 0 Modules
| |||||||||||||||
| 2324 | "C:\DEA4\DEA9.exe" | C:\DEA4\DEA9.exe | — | explorer.exe | |||||||||||
User: admin Company: Sage Software, Inc. Integrity Level: MEDIUM Description: DacEasy Accounting Main entry point Exit code: 1073807364 Version: 9, 10, 0, 111 Modules
| |||||||||||||||
| 2396 | C:\Windows\helppane.exe -Embedding | C:\Windows\HelpPane.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Help and Support Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2564 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2592 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2724 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\DEA4\readme.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | _INS5576._MP | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3068 | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDEL.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDel.exe | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit InstallShield Deleter. Exit code: 0 Version: 5, 51, 138, 0 Modules
| |||||||||||||||
Total events
13 693
Read events
13 248
Write events
215
Delete events
230
Modification events
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK.7z | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
43
Suspicious files
132
Text files
247
Unknown types
45
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\pftw1.pkg | — | |
MD5:— | SHA256:— | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\BtrvUtil.dll | executable | |
MD5:5764EA4FBD28D7C21D65D0AC4AB77BE4 | SHA256:27EC5CAEB4F30E120015A0322AD34ABF42396D82CFF51F008B1A6C09F970DFFB | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\os.dat | ini | |
MD5:478F65A0B922B6BA0A6CE99E1D15C336 | SHA256:BE2292517342DE82D50CEFBACB185E36558FCDFBF686692E7DF08A80331F9BEE | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\setup.lid | text | |
MD5:1B79748E93A541CC1590505B6C72828A | SHA256:708D29C649525882937031B3D73CC851B7B1BC30772EB4E0E2A71523908F2EB5 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDel.exe | executable | |
MD5:51161BF79F25FF278912005078AD93D5 | SHA256:B5DC0FEB738A91CE3CFA982647FE2779787335C6C2C598D5B49818565D7C3E84 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_INST32I.EX_ | ??_ | |
MD5:6229A86A1D291C311DA49A7D69A49A1F | SHA256:B2FF4E8402A5160C491B1AC7EBA0073FBBE2220DCE107441461B250544EFF35A | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\vssver.scc | pic | |
MD5:C4887BFE4E8AF38737AE2ACB60CD9E11 | SHA256:B6C86012E8A8451FDDCC1D5B3EA997D28184DA90C988D7571EC453E60B4A2DD1 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\setup.ins | ins | |
MD5:A32758D3D53596FFB21B7D9239D6A6BB | SHA256:843AD9961873725CC15FABED0DB0308E65F4126F49D59788B1E5C7975AEECA57 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_sys1.cab | compressed | |
MD5:2FB3D90352F7B59E2751261C56A50955 | SHA256:E529F44237D7D9043B449F5CA8F7D4E21063BB33A9552146822C011C62B64A1E | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_sys1.hdr | compressed | |
MD5:F9C164699FAEF9D78696C0106CA6DC7B | SHA256:7315ADB03DEE4B515648E9F7D7811DF6FA64A0AD9EF7796F7FC7F65B25FF1AEB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |