File name:

WebCompanion.zip

Full analysis: https://app.any.run/tasks/0eda9756-8f98-469a-9c12-83f80d67ab2b
Verdict: Malicious activity
Analysis date: May 03, 2024, 20:02:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

01F1EEB6020DAA365B2F1FE3BB3F4A64

SHA1:

3CB6A713F1AD37800134661C84917BA09341858C

SHA256:

28369BCAB47935F93760DFF94117D5E38A2C846E6463DA2FB0E322BCB34A1C6D

SSDEEP:

98304:ew3aFCNzBGwq4vlfK1H+ZTNYq+4qmw6yn5AQ8Ju9nVr9/NmIiZxB8mh8t1Hx0w3c:jbV5fXv6cuMti5W+iYO7CDZ7e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • WebCompanion.exe (PID: 1812)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3988)

    • Actions looks like stealing of personal data

      • WebCompanion.exe (PID: 1812)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3988)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 3988)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3988)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3988)

    • Reads security settings of Internet Explorer

      • WebCompanion.exe (PID: 1812)

    • Checks Windows Trust Settings

      • WebCompanion.exe (PID: 1812)

    • Reads the Internet Settings

      • WebCompanion.exe (PID: 1812)

    • Searches for installed software

      • WebCompanion.exe (PID: 1812)

    • Reads settings of System Certificates

      • WebCompanion.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • WebCompanion.exe (PID: 1812)
      • wmpnscfg.exe (PID: 1820)

    • Reads the computer name

      • WebCompanion.exe (PID: 1812)
      • wmpnscfg.exe (PID: 1820)

    • Manual execution by a user

      • WebCompanion.exe (PID: 1812)
      • explorer.exe (PID: 4040)
      • wmpnscfg.exe (PID: 1820)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3988)

    • Reads Environment values

      • WebCompanion.exe (PID: 1812)

    • Creates files in the program directory

      • WebCompanion.exe (PID: 1812)

    • Reads the machine GUID from the registry

      • WebCompanion.exe (PID: 1812)

    • Reads product name

      • WebCompanion.exe (PID: 1812)

    • Creates files or folders in the user directory

      • WebCompanion.exe (PID: 1812)

    • Reads the software policy settings

      • WebCompanion.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:01:23 08:51:44
ZipCRC: 0xfcafb624
ZipCompressedSize: 214628
ZipUncompressedSize: 468184
ZipFileName: Application/7za.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs webcompanion.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812"C:\Users\admin\Desktop\Application\WebCompanion.exe" C:\Users\admin\Desktop\Application\WebCompanion.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion
Exit code:
0
Version:
12.901.4.1003
Modules
Images
c:\users\admin\desktop\application\webcompanion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1820"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3988"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\WebCompanion.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4040"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
9 500
Read events
9 436
Write events
64
Delete events
0

Modification events

(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WebCompanion.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
122
Suspicious files
5
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988WinRAR.exeC:\Users\admin\Documents\Application\BCUSDK.dllexecutable
MD5:FA15F099EB5FB7D8583E1EB661F49F0C
SHA256:4A907EB09E158E463CADC730D90A4B935CCC2EF9882E214AF70EAA16E70B7462
3988WinRAR.exeC:\Users\admin\Documents\Application\7za.exeexecutable
MD5:E983C907A0C8AA4EA37CA2A7B3FB2AE5
SHA256:7E58A8A27177D6043ACE14A124EF352119958188B60B952DC86C443F3B95967C
3988WinRAR.exeC:\Users\admin\Documents\Application\acs17.dllexecutable
MD5:73DB319018F5685DD106461BF2817E67
SHA256:03E7B296EDBB84E83592CD3D357EDAE1EBC1528E2451DEAA47B527568AB79B90
3988WinRAR.exeC:\Users\admin\Documents\Application\ICSharpCode.SharpZipLib.dllexecutable
MD5:31B456EE6302EAC0F8449FFBE8BD3C1B
SHA256:7CBAD3A0B469191B24F1D4A38A53D9219AB40C26B4E427123C813553AE8E2CE2
3988WinRAR.exeC:\Users\admin\Documents\Application\Interop.Shell32.dllexecutable
MD5:54135E873E96BA8D5D343FC35F982149
SHA256:487243140EE8D198E7AF4014A583A755FFCE2F79348FF25DE1BA1835C1F15722
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureInstaller.exe.configxml
MD5:64B56E0401F35D30E7E33D3FE11DB9EA
SHA256:77348A27DB6505DCC962A97A60C8AFC4F3BBAA4D1C485616407700F6BA901379
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureMainComponent.exeexecutable
MD5:8E044D6A7084787FF406BB24AFA4B4CE
SHA256:B763FBC810928EF7BFCE70B08C3A12F1DE8703AF57C03F0F61E595F994C232C0
3988WinRAR.exeC:\Users\admin\Documents\Application\FeatureMainComponent.exe.configxml
MD5:568B93BE462E5660BDB8E9CFAE715B4D
SHA256:CF8F505544E172B3A91138D2FA71A8B3CAA2B5296B500275AC50406D2B116593
3988WinRAR.exeC:\Users\admin\Documents\Application\Lavasoft.CSharp.Utilities.dllexecutable
MD5:D57FDADDE634BD748C8175CA12E2FC58
SHA256:3E6F08C620E478B82D6252BB01D4E1DCAF2B895E415EC366350E2DDE3E121BE7
3988WinRAR.exeC:\Users\admin\Documents\Application\Interop.WUApiLib.dllexecutable
MD5:2539FD34B5A499536036C69FD87254F7
SHA256:3C55D786BCBDFB8AC3DB8DF464E719D3F0603BF454F46B6E3C8722AC12020C99
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
WebCompanion.exe
GET
200
104.16.149.130:80
http://geo.lavasoft.com/
unknown
unknown
1812
WebCompanion.exe
GET
200
104.19.208.152:80
http://rt.webcompanion.com/notifications/download/rt/ActiveFeatures.zip
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1812
WebCompanion.exe
104.16.149.130:80
geo.lavasoft.com
CLOUDFLARENET
unknown
1812
WebCompanion.exe
104.18.27.149:443
flwadw.com
CLOUDFLARENET
shared
1812
WebCompanion.exe
104.19.208.152:80
rt.webcompanion.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
geo.lavasoft.com
  • 104.16.149.130
  • 104.16.148.130
unknown
flwadw.com
  • 104.18.27.149
  • 104.18.26.149
unknown
rt.webcompanion.com
  • 104.19.208.152
  • 104.19.159.224
unknown

Threats

PID
Process
Class
Message
1812
WebCompanion.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
Process
Message
WebCompanion.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\Desktop\Application\x86\SQLite.Interop.dll"...
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): os_win.c:35993: (3) winOpen(C:\ProgramData\Lavasoft\Web Companion\Options\statistic.db) - The system cannot find the path specified.
WebCompanion.exe
SQLite error (14): cannot open file at line 36002 of [018d317b12]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCompanion.zip