File name:

WcInstaller.exe

Full analysis: https://app.any.run/tasks/2179dd8e-8ca7-4fe6-a267-6dacaf578b90
Verdict: Malicious activity
Analysis date: July 20, 2018, 12:10:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

201E1912AB74F06F2EC3C09AE4BFCB00

SHA1:

DEEBD168B598C633FB7510FD2D3023D18A30D484

SHA256:

2A3110E7E158344192BA7FABF3809289A5B3511ADE60D5F4ACD0DC75C11970E0

SSDEEP:

6144:31OgDPdkBAFZWjadD4sKGoa2YyGCmMSLKXo7OcehCC/6kPYAHr2TF0G:31OgLdalz5oeIZkH4F0G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3268)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Executable content was dropped or overwritten

      • WcInstaller.exe (PID: 3636)
      • WebCompanionInstaller.exe (PID: 3268)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 3268)

    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 3268)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3268)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3364)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 3268)

  • INFO

    • Reads settings of System Certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain URL's

      • WcInstaller.exe (PID: 3636)
      • WebCompanion.exe (PID: 1228)
      • WebCompanionInstaller.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 17:27:35+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.2.1846.3481
ProductVersionNumber: 4.2.1846.3481
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 4.2.1846.3481
ProductVersion: 4.2.1846.3481
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start wcinstaller.exe webcompanioninstaller.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe wcinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.2.1846.3481
2072"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2820"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3020"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3268.\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prodC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\7zsa46c.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3364"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3392netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3636"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\wcinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
397
Read events
262
Write events
135
Delete events
0

Modification events

(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
Operation:writeName:MachineId
Value:
99bbbf31-70c3-7522-2518-5d596321c64f
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
74
Suspicious files
3
Text files
29
Unknown types
2

Dropped files

PID
Process
Filename
Type
3268WebCompanionInstaller.exeC:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txttext
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@webcompanion[1].txttext
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB3OCR2W\consent_2[1].htmhtml
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018072020180721\index.datdat
MD5:
SHA256:
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exe.configxml
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D
SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\fr-CA\WebCompanionInstaller.resources.dllexecutable
MD5:4A1E2D66CD994AFCC8DFADA93837606E
SHA256:7D82338BD5696118C3DFE243A08ACC855F988A7FC072F8368B1073CB0BCDA77D
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\de-DE\WebCompanionInstaller.resources.dllexecutable
MD5:46C6DFF1778861F19406C56134F527CE
SHA256:7A0F6685EBF318828FA1DBD069A5A3DDAB00BB6A776B7169F9B54766956B3AA5
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\es-ES\WebCompanionInstaller.resources.dllexecutable
MD5:1D811987C66E52A064F093C5ED8C5462
SHA256:384826226F4339399798FD5953CF84D3E15C77D2190046029B267F302A32088C
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\ja-JP\WebCompanionInstaller.resources.dllexecutable
MD5:51877DBD15F68DB9B86EF50392B1A271
SHA256:EF6A364428CA3E2BAB96416C61CC447EA0371759F8722C283E6C78BD8855DD76
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\it-IT\WebCompanionInstaller.resources.dllexecutable
MD5:5877B38001C33B3F0602FFE769F38E5B
SHA256:EF7F971DFDE4D172443597E2CA39344606880BA2468C7CA52A3C749715A3AF5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
WebCompanionInstaller.exe
GET
200
104.17.114.51:80
http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1
US
html
1.33 Kb
malicious
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
GET
200
205.185.208.52:80
http://code.jquery.com/jquery-1.11.2.min.js
US
text
37.9 Kb
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
GET
200
104.17.60.19:80
http://wcdownloadercdn.lavasoft.com/4.2.1846.3481/WebCompanion-4.2.1846.3481-prod.zip
US
compressed
9.16 Mb
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.45 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
WebCompanionInstaller.exe
72.55.154.82:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3268
WebCompanionInstaller.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared
3268
WebCompanionInstaller.exe
104.17.60.19:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
1228
WebCompanion.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared
1228
WebCompanion.exe
72.55.154.81:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3268
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wc-tracking.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
www.webcompanion.com
  • 104.17.114.51
  • 104.17.115.51
  • 104.17.113.51
  • 104.17.116.51
  • 104.17.112.51
malicious
webcompanion.com
  • 104.17.114.51
  • 104.17.113.51
  • 104.17.115.51
  • 104.17.112.51
  • 104.17.116.51
malicious
code.jquery.com
  • 205.185.208.52
whitelisted
wc-update-service.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.17.60.19
  • 104.17.61.19
whitelisted
rt.webcompanion.com
  • 104.17.114.51
  • 104.17.116.51
  • 104.17.112.51
  • 104.17.113.51
  • 104.17.115.51
malicious
wc-partners.lavasoft.com
  • 72.55.154.81
  • 72.55.154.82
whitelisted

Threats

No threats detected
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
7/20/2018 1:11:05 PM :-> Starting installer 4.2.1846.3481 with: .\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prod, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Antivirus not detected
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> vm_check False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> reg_check :False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WcInstaller.exe