analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://webcompanion.com/nano_download.php?partner=PF170501

Full analysis: https://app.any.run/tasks/7ff2b410-e548-4fb3-957d-35e11b280087
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 22:38:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

524B303316D5DB7C535F2E6150CC37C0

SHA1:

5EC8B20F9CB07F274FCA9E4587258C386C26B768

SHA256:

12E65867F0D539577B2BEE69592630D5DCB4ECF79DCF4E81D45E5B20466AADF9

SSDEEP:

3:N1KJAmgDKQiKqJLJlhsnVUn:COmg+tXJDq+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nano_download[1].exe (PID: 3528)
      • nano_download[1].exe (PID: 2744)
      • WebCompanionInstaller.exe (PID: 3104)
      • WebCompanion.exe (PID: 3340)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)
      • Ad-Aware Web Companion.exe (PID: 2420)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3732)

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 3104)
      • WebCompanion.exe (PID: 3340)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3104)

    • Changes the autorun value in the registry

      • WebCompanion.exe (PID: 3340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3732)
      • iexplore.exe (PID: 3480)
      • nano_download[1].exe (PID: 3528)
      • WebCompanionInstaller.exe (PID: 3104)

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 3104)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 3104)
      • WebCompanion.exe (PID: 3340)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 3104)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3104)
      • WebCompanion.exe (PID: 3340)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3104)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3200)
      • cmd.exe (PID: 2360)

    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 3104)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 3104)
      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)

    • Creates files in the Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)

    • Removes files from Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 2456)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3480)

    • Changes internet zones settings

      • iexplore.exe (PID: 3480)

    • Creates files in the user directory

      • iexplore.exe (PID: 3732)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3732)
      • iexplore.exe (PID: 3480)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3104)
      • WebCompanion.exe (PID: 3340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
18
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start iexplore.exe iexplore.exe nano_download[1].exe no specs nano_download[1].exe webcompanioninstaller.exe presentationfontcache.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe cmd.exe no specs netsh.exe no specs csc.exe no specs cvtres.exe no specs ad-aware web companion.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3480"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3732"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3480 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2744"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exeiexplore.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.6.1966.3854
3528"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exe
iexplore.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Version:
4.6.1966.3854
3104.\WebCompanionInstaller.exe --partner=PF170501 --version=4.6.1966.3854 --prodC:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\WebCompanionInstaller.exe
nano_download[1].exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Version:
4.6.1966.3854
2880C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Version:
3.0.6920.4902 built by: NetFXw7
1004"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3508"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2068"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3200"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 396
Read events
1 142
Write events
0
Delete events
0

Modification events

No data
Executable files
76
Suspicious files
8
Text files
139
Unknown types
7

Dropped files

PID
Process
Filename
Type
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3480iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCD0D89914F9200E2.TMP
MD5:
SHA256:
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.datdat
MD5:D179E07DA1D991B173B852437CFA8ECF
SHA256:2D26ACF10CBB6C428A75DA62F42D681423B3D21672B624C43DA43944287E5DE1
3528nano_download[1].exeC:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\ICSharpCode.SharpZipLib.dllexecutable
MD5:1B42DB3C4A9039EBC3190335205247B5
SHA256:59D23A14222F115CFF3184D4C498FF563398957910271F9E47C319573F7F2DCE
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\nano_download[1].exeexecutable
MD5:12926E0ABBE4CE4B4B871BA752C86DB8
SHA256:B3D8E2F964F1D7335A03860A36C193480E700D3B6A2E2675BABD5AAFE8DE8742
3732iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\WcInstaller[1].exeexecutable
MD5:12926E0ABBE4CE4B4B871BA752C86DB8
SHA256:B3D8E2F964F1D7335A03860A36C193480E700D3B6A2E2675BABD5AAFE8DE8742
3480iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4DDBBC22FC62A529.TMP
MD5:
SHA256:
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EDCEA133-46A9-11E9-BEEC-5254004A04AF}.dat
MD5:
SHA256:
3528nano_download[1].exeC:\Users\admin\AppData\Local\Temp\7zSEF24.tmp\WebCompanionInstaller.exeexecutable
MD5:A4AB7777A53E007E979DFEAD88CFF835
SHA256:7A25424C95DF5E1A168F45A4042624576CF8137C97A4263751BE2A30B869CE40
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
21
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3104
WebCompanionInstaller.exe
GET
200
104.17.177.102:80
http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1
US
html
1.33 Kb
malicious
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3732
iexplore.exe
GET
200
104.17.177.102:80
http://webcompanion.com/nano_download.php?partner=PF170501
US
executable
347 Kb
malicious
3104
WebCompanionInstaller.exe
POST
200
72.55.154.81:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.43 Kb
whitelisted
3104
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3104
WebCompanionInstaller.exe
GET
200
104.17.60.19:80
http://wcdownloadercdn.lavasoft.com/4.6.1966.3854/WebCompanion-4.6.1966.3854-prod.zip
US
compressed
8.99 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3104
WebCompanionInstaller.exe
72.55.154.82:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3104
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown
3732
iexplore.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared
3104
WebCompanionInstaller.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared
3104
WebCompanionInstaller.exe
72.55.154.81:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3340
WebCompanion.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared
3104
WebCompanionInstaller.exe
104.17.60.19:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
3340
WebCompanion.exe
104.17.178.102:80
webcompanion.com
Cloudflare Inc
US
shared
3340
WebCompanion.exe
72.55.154.81:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
wc-tracking.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
www.webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
code.jquery.com
  • 205.185.208.52
whitelisted
wc-update-service.lavasoft.com
  • 72.55.154.81
  • 72.55.154.82
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.17.60.19
  • 104.17.61.19
whitelisted
rt.webcompanion.com
  • 104.17.178.102
  • 104.17.177.102
malicious
wc-partners.lavasoft.com
  • 72.55.154.81
  • 72.55.154.82
whitelisted
sg-bitmask.adaware.com
  • 104.16.235.79
  • 104.16.236.79
malicious

Threats

PID
Process
Class
Message
3732
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3732
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3104
WebCompanionInstaller.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
3/14/2019 10:38:56 PM :-> Starting installer 4.6.1966.3854 with: .\WebCompanionInstaller.exe --partner=PF170501 --version=4.6.1966.3854 --prod, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
3/14/2019 10:39:10 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
3/14/2019 10:39:10 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
3/14/2019 10:39:11 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
3/14/2019 10:39:11 PM :-> Antivirus not detected
WebCompanionInstaller.exe
3/14/2019 10:39:11 PM :-> vm_check False
WebCompanionInstaller.exe
3/14/2019 10:39:11 PM :-> reg_check :False
WebCompanionInstaller.exe
3/14/2019 10:39:12 PM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://webcompanion.com/nano_download.php?partner=PF170501