Malware analysis wace269i.exe Malicious activity | ANY.RUN

Add for printing

File name:	wace269i.exe
Full analysis:	https://app.any.run/tasks/73598e7c-fa5b-410d-854b-76aaaf041546
Verdict:	Malicious activity
Analysis date:	February 21, 2019, 20:04:21
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Petite compressed, ACE self-extracting archive
MD5:	49FE093F56238E8EA8B8D91A535922A6
SHA1:	DB3FEC36F196C4019220CEAF32C655C8F2251ADC
SHA256:	426B19F26C03DFC5DB649F980B77DFBDB0AED7623DD0451418CDCC6C535EB696
SSDEEP:	98304:WGeWprGvAIh6zPjNR6Vvp0+yhetHlfzLKyp+ap6snPIzTrfNfans8O:WMrih6juVhHEi+c6hNfan7O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - helpinst.exe (PID: 3320)
  - winace.exe (PID: 3792)
- Loads dropped or rewritten executable
  - winace.exe (PID: 3792)
SUSPICIOUS
- Creates files in the program directory
  - helpinst.exe (PID: 3320)
  - winace.exe (PID: 3792)
  - wace269i.exe (PID: 2300)
- Creates files in the user directory
  - helpinst.exe (PID: 3320)
- Creates a software uninstall entry
  - helpinst.exe (PID: 3320)
- Executable content was dropped or overwritten
  - wace269i.exe (PID: 2300)
- Checks supported languages
  - winace.exe (PID: 3792)
- Modifies the open verb of a shell class
  - winace.exe (PID: 3792)
- Creates COM task schedule object
  - winace.exe (PID: 3792)
INFO
- Dropped object may contain Bitcoin addresses
  - wace269i.exe (PID: 2300)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Petite compressed Win32 executable (82.5)
.dll	\|	Win32 Dynamic Link Library (generic) (7.5)
.exe	\|	Win32 Executable (generic) (5.2)
.exe	\|	Generic Win/DOS Executable (2.3)
.exe	\|	DOS Executable Generic (2.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:20 00:22:17+02:00
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	122368
InitializedDataSize:	98816
UninitializedDataSize:	-
EntryPoint:	0x6410b
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2300

"C:\Users\admin\AppData\Local\Temp\wace269i.exe"

C:\Users\admin\AppData\Local\Temp\wace269i.exe

explorer.exe

User:

admin

Company:

e-merge GmbH

Integrity Level:

HIGH

Description:

http://www.winace.com

Exit code:

Version:

2.69.0.0

Modules

Images
c:\users\admin\appdata\local\temp\wace269i.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3320

"C:\Program Files\WinAce\helpinst.exe"

C:\Program Files\WinAce\helpinst.exe

—

wace269i.exe

User:

admin

Company:

e-merge GmbH

Integrity Level:

HIGH

Description:

Installation Utitlity

Exit code:

Version:

2.6.5.0

Modules

Images
c:\program files\winace\helpinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll

3732

"C:\Users\admin\AppData\Local\Temp\wace269i.exe"

C:\Users\admin\AppData\Local\Temp\wace269i.exe

—

explorer.exe

User:

admin

Company:

e-merge GmbH

Integrity Level:

MEDIUM

Description:

http://www.winace.com

Exit code:

3221226540

Version:

2.69.0.0

Modules

Images
c:\users\admin\appdata\local\temp\wace269i.exe
c:\systemroot\system32\ntdll.dll

3792

"C:\Program Files\WinAce\winace.exe" pl

C:\Program Files\WinAce\winace.exe

wace269i.exe

User:

admin

Company:

e-merge GmbH

Integrity Level:

HIGH

Description:

WinAce Archiver v2.69

Exit code:

Version:

2.6.9.0

Modules

Images
c:\program files\winace\winace.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

1 002

Read events

716

Write events

284

Delete events

Modification events


(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	DisplayName
Value: WinAce Archiver
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\WinAce\SXUNINST.EXE
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	URLInfoAbout
Value: http://www.winace.com
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	URLUpdateInfo
Value: http://www.winace.com
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	HelpLink
Value: mailto:techsupport@winace.com
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	Publisher
Value: e-merge GmbH
(PID) Process:	(3320) helpinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAce Archiver
Operation:	write	Name:	DisplayVersion
Value: 2.69
(PID) Process:	(2300) wace269i.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2300) wace269i.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2300	wace269i.exe	C:\Users\admin\AppData\Local\Temp\~SETUP.BMP		—
		MD5:—	SHA256:—
2300	wace269i.exe	C:\Program Files\WinAce\arcext.dll		executable
		MD5:C5BD154FA5C97EF71FCE6CD1871B3DC2	SHA256:E8F245D5FC09B383B8647DBA57A4F47AB42DA3A6BF7016862D6F8A9C7486A704
2300	wace269i.exe	C:\Program Files\WinAce\find.add		text
		MD5:84E64513B0459B90B2F09368B2A184BA	SHA256:AAD11A78B9CFB353515D3CB62E67B49702370F22DEFC751E12F3D289F83CA0CB
2300	wace269i.exe	C:\Program Files\WinAce\winace.cnt		text
		MD5:1C7083D804B17AB58776E21CF5CC6EC7	SHA256:64E01154793AB4B2CA06726BE268F31CF499F7A251B3332ED184E77B5B12396B
2300	wace269i.exe	C:\Program Files\WinAce\sxuninst.de		executable
		MD5:D7D82903A3C46A59D1F196991E4C1836	SHA256:4EE3A42C97B18B363DA2FBB4B9A70F6FD1FCAC735AC02DF8846D5754437C2327
2300	wace269i.exe	C:\Program Files\WinAce\arcicons.dll		executable
		MD5:6D0569AFF6C075D2F8D431A46525DDF0	SHA256:567B39861B9BF5B8046759EBA27A0D252538201EE85012E3241230542F11B854
2300	wace269i.exe	C:\Program Files\WinAce\winace_enu.cnt		text
		MD5:2A0277A92831DEEF214CCD364FC76510	SHA256:1287C9011FFA0EB78B4AB9E2673E3438FAB60E43F5C9F99AFF7176156FC6FA34
2300	wace269i.exe	C:\Program Files\WinAce\unrar3.dll		executable
		MD5:2C20ABCC7DA69AEA4E081D573366170F	SHA256:F0055CA904B9641F889C81CA72A485C92305363DFEF12EDC569CF2CA0E4BB0D0
2300	wace269i.exe	C:\Program Files\WinAce\sfxlib.dll		executable
		MD5:40785721FC9FEEAE3108F3A9F1F4B8E1	SHA256:7AFD42E83DB9100001A2792F8B435B4CAB806E9ECAAE48B1C3E8B0C4B5DF3976
2300	wace269i.exe	C:\Program Files\WinAce\cabinet.dll		executable
		MD5:3DA024785935AAC0E4610F711B97C207	SHA256:21F60D7068E84C64D082C937A14414AA3A7C4FD7CB05AEC44AB153078C8A79F4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3792	winace.exe	GET	404	80.237.132.240:80	http://www.winace.com/bundle/advantage/spcfgen.txt	DE	xml	1.06 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3792	winace.exe	80.237.132.240:80	www.winace.com	PlusServer GmbH	DE	suspicious

DNS requests

Domain	IP	Reputation
www.winace.com	80.237.132.240	malicious

Threats

PID	Process	Class	Message
3792	winace.exe	Potential Corporate Privacy Violation	ET POLICY Suspicious Malformed Double Accept Header

Add for printing

No debug info

General Info

wace269i.exe

49FE093F56238E8EA8B8D91A535922A6

DB3FEC36F196C4019220CEAF32C655C8F2251ADC

426B19F26C03DFC5DB649F980B77DFBDB0AED7623DD0451418CDCC6C535EB696

98304:WGeWprGvAIh6zPjNR6Vvp0+yhetHlfzLKyp+ap6snPIzTrfNfans8O:WMrih6juVhHEi+c6hNfan7O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Creates files in the program directory

Creates files in the user directory

Creates a software uninstall entry

Executable content was dropped or overwritten

Checks supported languages

Modifies the open verb of a shell class

Creates COM task schedule object

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings