| File name: | DACEASY ACCOUNTING V9.10 NETWORK.7z |
| Full analysis: | https://app.any.run/tasks/79a6ba7b-3e5e-4b07-b058-7f3ada850ae4 |
| Verdict: | Malicious activity |
| Analysis date: | March 19, 2024, 19:07:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 89E6C8AB394C5F7808D54A02CBD43681 |
| SHA1: | A076C1DBCA8C0C203E49CB7B7D7827421C5CBA9B |
| SHA256: | 148400546C0C007A56791CBB21D2986C6C7F4CF1C03C72E978CB3EBC52EA3546 |
| SSDEEP: | 98304:p8GW8blApj2YYeGdEua96EOLPktJizxArAGzdML5NQDxjd4TMc2Ccf3xvjWA0J0L:X/oQVMCQ5 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3500)
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
SUSPICIOUS
Executable content was dropped or overwritten
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
Starts application with an unusual extension
- Setup.exe (PID: 2148)
Creates file in the systems drive root
- _ISDel.exe (PID: 3068)
- W32mkde.exe (PID: 3520)
Reads the Windows owner or organization settings
- _INS5576._MP (PID: 1560)
Creates a software uninstall entry
- _INS5576._MP (PID: 1560)
Non-standard symbols in registry
- WINWORD.EXE (PID: 2724)
Application launched itself
- WINWORD.EXE (PID: 2724)
Changes default file association
- WINWORD.EXE (PID: 2724)
Creates/Modifies COM task schedule object
- WINWORD.EXE (PID: 2724)
Process drops legitimate windows executable
- _INS5576._MP (PID: 1560)
Reads Internet Explorer settings
- HelpPane.exe (PID: 2396)
Reads Microsoft Outlook installation path
- HelpPane.exe (PID: 2396)
Reads the Internet Settings
- HelpPane.exe (PID: 2396)
INFO
Manual execution by a user
- SETUP.EXE (PID: 3180)
- SETUP.EXE (PID: 2072)
- DEA9.exe (PID: 2324)
- wmpnscfg.exe (PID: 2564)
Checks supported languages
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
- _ISDel.exe (PID: 3068)
- wmpnscfg.exe (PID: 2564)
- W32mkde.exe (PID: 3520)
- DEA9.exe (PID: 2324)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3500)
Create files in a temporary directory
- SETUP.EXE (PID: 2072)
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
Reads the computer name
- Setup.exe (PID: 2148)
- _INS5576._MP (PID: 1560)
- _ISDel.exe (PID: 3068)
- wmpnscfg.exe (PID: 2564)
- W32mkde.exe (PID: 3520)
- DEA9.exe (PID: 2324)
Reads Microsoft Office registry keys
- _INS5576._MP (PID: 1560)
Creates files in the program directory
- _INS5576._MP (PID: 1560)
The process uses the downloaded file
- WINWORD.EXE (PID: 2724)
Reads the machine GUID from the registry
- winhlp32.exe (PID: 1936)
- HelpPane.exe (PID: 2396)
Reads security settings of Internet Explorer
- HelpPane.exe (PID: 2396)
Checks proxy server information
- HelpPane.exe (PID: 2396)
Creates files or folders in the user directory
- W32mkde.exe (PID: 3520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
59
Monitored processes
13
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1560 | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | Setup.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield Engine Exit code: 0 Version: 5, 53, 168, 0 Modules
| |||||||||||||||
| 1936 | winhlp32.exe -x | C:\Windows\winhlp32.exe | — | DEA9.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Winhlp32 Stub Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | "C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK\SETUP.EXE" | C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK\SETUP.EXE | explorer.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: PackageForTheWeb Stub Exit code: 0 Version: 2.02.001 Modules
| |||||||||||||||
| 2148 | "C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\Setup.exe" /SMS | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\Setup.exe | SETUP.EXE | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit Setup Launcher Exit code: 0 Version: 5, 52, 164, 0 Modules
| |||||||||||||||
| 2324 | "C:\DEA4\DEA9.exe" | C:\DEA4\DEA9.exe | — | explorer.exe | |||||||||||
User: admin Company: Sage Software, Inc. Integrity Level: MEDIUM Description: DacEasy Accounting Main entry point Exit code: 1073807364 Version: 9, 10, 0, 111 Modules
| |||||||||||||||
| 2396 | C:\Windows\helppane.exe -Embedding | C:\Windows\HelpPane.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Help and Support Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2564 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2592 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2724 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\DEA4\readme.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | _INS5576._MP | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3068 | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDEL.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDel.exe | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit InstallShield Deleter. Exit code: 0 Version: 5, 51, 138, 0 Modules
| |||||||||||||||
Total events
13 693
Read events
13 248
Write events
215
Delete events
230
Modification events
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK.7z | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
43
Suspicious files
132
Text files
247
Unknown types
45
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\pftw1.pkg | — | |
MD5:— | SHA256:— | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\data1.hdr | compressed | |
MD5:1DF1D3ECF294BEF2046290F285790E90 | SHA256:E119581926C9A81AC8BE0BCCE03348897EADEEA7C7DF5F6F00B12ECB2D5EDF0B | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\layout.bin | binary | |
MD5:E5C90BFB4F97DF9F53CD15906FA5AAAB | SHA256:80057F1977BAADDDE8F7115A1B96642EE09AA530DD96E69B2BD5E2F8BAF409FF | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\BtrvUtil.dll | executable | |
MD5:5764EA4FBD28D7C21D65D0AC4AB77BE4 | SHA256:27EC5CAEB4F30E120015A0322AD34ABF42396D82CFF51F008B1A6C09F970DFFB | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\DATA.TAG | text | |
MD5:9E245BF5CE2C3601FC9310411E333C47 | SHA256:D08EB514EE7261515FEC0EB667EE7AE78AAB570BE2AA17302F5A697F2C9A5B04 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\data1.cab | compressed | |
MD5:1836C06B03D9E2708D8F9B1347951086 | SHA256:27A87CC938EABCCB9B87C21FD541896A138515334968D600E708A4EC59EE19F0 | |||
| 3500 | WinRAR.exe | C:\Users\admin\Desktop\DACEASY ACCOUNTING V9.10 NETWORK\SETUP.TXT | text | |
MD5:8FB32C7C656F6D54842D191CB9751490 | SHA256:A6219313CA44B416F4FF15E227ACBBC088B73C84DD97F0541542998FBE63DD39 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_INST32I.EX_ | ??_ | |
MD5:6229A86A1D291C311DA49A7D69A49A1F | SHA256:B2FF4E8402A5160C491B1AC7EBA0073FBBE2220DCE107441461B250544EFF35A | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\_ISDel.exe | executable | |
MD5:51161BF79F25FF278912005078AD93D5 | SHA256:B5DC0FEB738A91CE3CFA982647FE2779787335C6C2C598D5B49818565D7C3E84 | |||
| 2072 | SETUP.EXE | C:\Users\admin\AppData\Local\Temp\pftF529~tmp\Disk1\lang.dat | ini | |
MD5:70627BD56FE92A5C97027CBBD88BACD0 | SHA256:B67A09F3FE25B08025810BBB20B8FAE05672D0A723F2DBED84F04224A89E6344 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |