URL: | http://webcompanion.com/nano_download.php?partner=PF170501 |
Full analysis: | https://app.any.run/tasks/7ff2b410-e548-4fb3-957d-35e11b280087 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 14, 2019, 22:38:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 524B303316D5DB7C535F2E6150CC37C0 |
SHA1: | 5EC8B20F9CB07F274FCA9E4587258C386C26B768 |
SHA256: | 12E65867F0D539577B2BEE69592630D5DCB4ECF79DCF4E81D45E5B20466AADF9 |
SSDEEP: | 3:N1KJAmgDKQiKqJLJlhsnVUn:COmg+tXJDq+ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3480 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3480 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2744 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe | — | iexplore.exe |
User: admin Company: Lavasoft Integrity Level: MEDIUM Description: Web Companion Installer Exit code: 3221226540 Version: 4.6.1966.3854 | ||||
3528 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe | iexplore.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Installer Version: 4.6.1966.3854 | ||||
3104 | .\WebCompanionInstaller.exe --partner=PF170501 --version=4.6.1966.3854 --prod | C:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\WebCompanionInstaller.exe | nano_download[1].exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Version: 4.6.1966.3854 | ||||
2880 | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | — | services.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: PresentationFontCache.exe Version: 3.0.6920.4902 built by: NetFXw7 | ||||
1004 | "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto | C:\Windows\system32\sc.exe | — | WebCompanionInstaller.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3508 | "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000 | C:\Windows\system32\sc.exe | — | WebCompanionInstaller.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2068 | "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service" | C:\Windows\system32\sc.exe | — | WebCompanionInstaller.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3200 | "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone | C:\Windows\System32\cmd.exe | — | WebCompanionInstaller.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3480 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFCD0D89914F9200E2.TMP | — | |
MD5:— | SHA256:— | |||
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat | dat | |
MD5:D179E07DA1D991B173B852437CFA8ECF | SHA256:2D26ACF10CBB6C428A75DA62F42D681423B3D21672B624C43DA43944287E5DE1 | |||
3528 | nano_download[1].exe | C:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\ICSharpCode.SharpZipLib.dll | executable | |
MD5:1B42DB3C4A9039EBC3190335205247B5 | SHA256:59D23A14222F115CFF3184D4C498FF563398957910271F9E47C319573F7F2DCE | |||
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe | executable | |
MD5:12926E0ABBE4CE4B4B871BA752C86DB8 | SHA256:B3D8E2F964F1D7335A03860A36C193480E700D3B6A2E2675BABD5AAFE8DE8742 | |||
3732 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\WcInstaller[1].exe | executable | |
MD5:12926E0ABBE4CE4B4B871BA752C86DB8 | SHA256:B3D8E2F964F1D7335A03860A36C193480E700D3B6A2E2675BABD5AAFE8DE8742 | |||
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4DDBBC22FC62A529.TMP | — | |
MD5:— | SHA256:— | |||
3480 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EDCEA133-46A9-11E9-BEEC-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3528 | nano_download[1].exe | C:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\WebCompanionInstaller.exe | executable | |
MD5:A4AB7777A53E007E979DFEAD88CFF835 | SHA256:7A25424C95DF5E1A168F45A4042624576CF8137C97A4263751BE2A30B869CE40 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3104 | WebCompanionInstaller.exe | GET | 200 | 104.17.177.102:80 | http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1 | US | html | 1.33 Kb | malicious |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3732 | iexplore.exe | GET | 200 | 104.17.177.102:80 | http://webcompanion.com/nano_download.php?partner=PF170501 | US | executable | 347 Kb | malicious |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.81:80 | http://wc-update-service.lavasoft.com/update.asmx | CA | xml | 1.43 Kb | whitelisted |
3104 | WebCompanionInstaller.exe | POST | 200 | 72.55.154.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3104 | WebCompanionInstaller.exe | GET | 200 | 104.17.60.19:80 | http://wcdownloadercdn.lavasoft.com/4.6.1966.3854/WebCompanion-4.6.1966.3854-prod.zip | US | compressed | 8.99 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3480 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3104 | WebCompanionInstaller.exe | 72.55.154.82:80 | wc-tracking.lavasoft.com | iWeb Technologies Inc. | CA | unknown |
3104 | WebCompanionInstaller.exe | 205.185.208.52:80 | code.jquery.com | Highwinds Network Group, Inc. | US | unknown |
3732 | iexplore.exe | 104.17.177.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
3104 | WebCompanionInstaller.exe | 104.17.177.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
3104 | WebCompanionInstaller.exe | 72.55.154.81:80 | wc-tracking.lavasoft.com | iWeb Technologies Inc. | CA | unknown |
3340 | WebCompanion.exe | 104.17.177.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
3104 | WebCompanionInstaller.exe | 104.17.60.19:80 | wcdownloadercdn.lavasoft.com | Cloudflare Inc | US | shared |
3340 | WebCompanion.exe | 104.17.178.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
3340 | WebCompanion.exe | 72.55.154.81:80 | wc-tracking.lavasoft.com | iWeb Technologies Inc. | CA | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
webcompanion.com |
| malicious |
wc-tracking.lavasoft.com |
| whitelisted |
www.webcompanion.com |
| malicious |
code.jquery.com |
| whitelisted |
wc-update-service.lavasoft.com |
| whitelisted |
wcdownloadercdn.lavasoft.com |
| whitelisted |
rt.webcompanion.com |
| malicious |
wc-partners.lavasoft.com |
| whitelisted |
sg-bitmask.adaware.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3732 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3732 | iexplore.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3104 | WebCompanionInstaller.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
Process | Message |
---|---|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 3/14/2019 10:38:56 PM :-> Starting installer 4.6.1966.3854 with: .\WebCompanionInstaller.exe --partner=PF170501 --version=4.6.1966.3854 --prod, Run as admin: True
|
WebCompanionInstaller.exe | Preparing for installing Web Companion
|
WebCompanionInstaller.exe | 3/14/2019 10:39:10 PM :-> Generating Machine and Install Id ...
|
WebCompanionInstaller.exe | 3/14/2019 10:39:10 PM :-> Machine Id and Install Id has been generated
|
WebCompanionInstaller.exe | 3/14/2019 10:39:11 PM :-> Checking prerequisites ...
|
WebCompanionInstaller.exe | 3/14/2019 10:39:11 PM :-> Antivirus not detected
|
WebCompanionInstaller.exe | 3/14/2019 10:39:11 PM :-> vm_check False
|
WebCompanionInstaller.exe | 3/14/2019 10:39:11 PM :-> reg_check :False
|
WebCompanionInstaller.exe | 3/14/2019 10:39:12 PM :-> Installed .Net framework is V40
|