File name:

WebCompanion.zip

Full analysis: https://app.any.run/tasks/0eda9756-8f98-469a-9c12-83f80d67ab2b
Verdict: Malicious activity
Analysis date: May 03, 2024, 20:02:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

01F1EEB6020DAA365B2F1FE3BB3F4A64

SHA1:

3CB6A713F1AD37800134661C84917BA09341858C

SHA256:

28369BCAB47935F93760DFF94117D5E38A2C846E6463DA2FB0E322BCB34A1C6D

SSDEEP:

98304:ew3aFCNzBGwq4vlfK1H+ZTNYq+4qmw6yn5AQ8Ju9nVr9/NmIiZxB8mh8t1Hx0w3c:jbV5fXv6cuMti5W+iYO7CDZ7e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 1812)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3988)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 1812)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3988)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3988)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 3988)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3988)

    • Reads security settings of Internet Explorer

      • WebCompanion.exe (PID: 1812)

    • Checks Windows Trust Settings

      • WebCompanion.exe (PID: 1812)

    • Reads the Internet Settings

      • WebCompanion.exe (PID: 1812)

    • Reads settings of System Certificates

      • WebCompanion.exe (PID: 1812)

    • Searches for installed software

      • WebCompanion.exe (PID: 1812)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3988)

    • Checks supported languages

      • WebCompanion.exe (PID: 1812)
      • wmpnscfg.exe (PID: 1820)

    • Reads the computer name

      • WebCompanion.exe (PID: 1812)
      • wmpnscfg.exe (PID: 1820)

    • Manual execution by a user

      • explorer.exe (PID: 4040)
      • WebCompanion.exe (PID: 1812)
      • wmpnscfg.exe (PID: 1820)

    • Reads the machine GUID from the registry

      • WebCompanion.exe (PID: 1812)

    • Reads Environment values

      • WebCompanion.exe (PID: 1812)

    • Reads product name

      • WebCompanion.exe (PID: 1812)

    • Creates files in the program directory

      • WebCompanion.exe (PID: 1812)

    • Creates files or folders in the user directory

      • WebCompanion.exe (PID: 1812)

    • Reads the software policy settings

      • WebCompanion.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:01:23 08:51:44
ZipCRC: 0xfcafb624
ZipCompressedSize: 214628
ZipUncompressedSize: 468184
ZipFileName: Application/7za.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs webcompanion.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812"C:\Users\admin\Desktop\Application\WebCompanion.exe" C:\Users\admin\Desktop\Application\WebCompanion.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion
Exit code:
0
Version:
12.901.4.1003
Modules
Images
c:\users\admin\desktop\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1820"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3988"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\WebCompanion.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4040"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
9 500
Read events
9 436
Write events
64
Delete events
0

Modification events

(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WebCompanion.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
122
Suspicious files
5
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988WinRAR.exeC:\Users\admin\Documents\Application\7za.exeexecutable
MD5:E983C907A0C8AA4EA37CA2A7B3FB2AE5
SHA256:7E58A8A27177D6043ACE14A124EF352119958188B60B952DC86C443F3B95967C
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureComponent.dllexecutable
MD5:296EC9745C31BA135E6B6B25EB0F103A
SHA256:61A70774ACBB150536270936B7109FEF7556D73A5BA581798F5296B2BC5CC4F3
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureInstaller.exeexecutable
MD5:A699A383A1D49B212E768854C01CDEC0
SHA256:3CC25B184DCC2B0FF02058E475C9C034267F4B2D7722BDA2EBCC6AF52C18E0BD
3988WinRAR.exeC:\Users\admin\Documents\Application\BCUEngineS.dllexecutable
MD5:1D9954E5D7F2D70099670C1CD25E491B
SHA256:9BA1EA7828F227ED28FD3F7B60AF3D891E7BD155AD3F33909A5B1ADAC9E38CCC
3988WinRAR.exeC:\Users\admin\Documents\Application\acs17.dllexecutable
MD5:73DB319018F5685DD106461BF2817E67
SHA256:03E7B296EDBB84E83592CD3D357EDAE1EBC1528E2451DEAA47B527568AB79B90
3988WinRAR.exeC:\Users\admin\Documents\Application\DotNetZip.dllexecutable
MD5:5C3F1F6DB7BDBCB51BB0E47BB1AC465A
SHA256:0BB9B526FCD63697ABE43CBABC8E04455781A8782A6BEAF048105BD922638A42
3988WinRAR.exeC:\Users\admin\Documents\Application\Interop.SHDocVw.dllexecutable
MD5:58B254948402E1D45E875298D0E89CE7
SHA256:F38ADF34286A3682B0C854304F4FE4A0A2A7328002A2132B0669E8E8B475E3AD
3988WinRAR.exeC:\Users\admin\Documents\Application\Ionic.Zip.dllexecutable
MD5:F0FB6728C9D8C0A1A16ACC28552000F2
SHA256:690AF8F5E2B90DC00964EE389D7DB004C4531C0EDDE101E04CF9009EE2156006
3988WinRAR.exeC:\Users\admin\Documents\Application\Esent.Interop.dllexecutable
MD5:E2B41BE435AF7B34C3DB388A353DEB86
SHA256:6DDE8018B24BB528075A0D7CDDB8DEA6BF6DCF9F30805AE80220B85DB1C73F3A
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureMainComponent.exe.configxml
MD5:568B93BE462E5660BDB8E9CFAE715B4D
SHA256:CF8F505544E172B3A91138D2FA71A8B3CAA2B5296B500275AC50406D2B116593
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
WebCompanion.exe
GET
200
104.16.149.130:80
http://geo.lavasoft.com/
unknown
unknown
1812
WebCompanion.exe
GET
200
104.19.208.152:80
http://rt.webcompanion.com/notifications/download/rt/ActiveFeatures.zip
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1812
WebCompanion.exe
104.16.149.130:80
geo.lavasoft.com
CLOUDFLARENET
unknown
1812
WebCompanion.exe
104.18.27.149:443
flwadw.com
CLOUDFLARENET
shared
1812
WebCompanion.exe
104.19.208.152:80
rt.webcompanion.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
geo.lavasoft.com
  • 104.16.149.130
  • 104.16.148.130
unknown
flwadw.com
  • 104.18.27.149
  • 104.18.26.149
unknown
rt.webcompanion.com
  • 104.19.208.152
  • 104.19.159.224
unknown

Threats

PID
Process
Class
Message
1812
WebCompanion.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
Process
Message
WebCompanion.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\Desktop\Application\x86\SQLite.Interop.dll"...
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanion.zip