File name:

WcInstaller.exe

Full analysis: https://app.any.run/tasks/2179dd8e-8ca7-4fe6-a267-6dacaf578b90
Verdict: Malicious activity
Analysis date: July 20, 2018, 12:10:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

201E1912AB74F06F2EC3C09AE4BFCB00

SHA1:

DEEBD168B598C633FB7510FD2D3023D18A30D484

SHA256:

2A3110E7E158344192BA7FABF3809289A5B3511ADE60D5F4ACD0DC75C11970E0

SSDEEP:

6144:31OgDPdkBAFZWjadD4sKGoa2YyGCmMSLKXo7OcehCC/6kPYAHr2TF0G:31OgLdalz5oeIZkH4F0G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3268)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 3268)

    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Executable content was dropped or overwritten

      • WcInstaller.exe (PID: 3636)
      • WebCompanionInstaller.exe (PID: 3268)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 3268)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3364)

  • INFO

    • Reads settings of System Certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain URL's

      • WebCompanion.exe (PID: 1228)
      • WcInstaller.exe (PID: 3636)
      • WebCompanionInstaller.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 17:27:35+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.2.1846.3481
ProductVersionNumber: 4.2.1846.3481
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 4.2.1846.3481
ProductVersion: 4.2.1846.3481
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start wcinstaller.exe webcompanioninstaller.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe wcinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.2.1846.3481
2072"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2820"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3020"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3268.\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prodC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\7zsa46c.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3364"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3392netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3636"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\wcinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
397
Read events
262
Write events
135
Delete events
0

Modification events

(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
Operation:writeName:MachineId
Value:
99bbbf31-70c3-7522-2518-5d596321c64f
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
74
Suspicious files
3
Text files
29
Unknown types
2

Dropped files

PID
Process
Filename
Type
3268WebCompanionInstaller.exeC:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txttext
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018072020180721\index.datdat
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB3OCR2W\consent_2[1].htmhtml
MD5:
SHA256:
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@webcompanion[1].txttext
MD5:
SHA256:
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\ru-RU\WebCompanionInstaller.resources.dllexecutable
MD5:2176154FDB35C5990A9AFD2B31A7A2B4
SHA256:8E9220790325E5041C1A78067E19B4C282115BE28E3930C30B165F16ED5655FE
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\pt-BR\WebCompanionInstaller.resources.dllexecutable
MD5:90BA8EEDD0E2424101D9F7856C3E02C9
SHA256:5C84D471D9E6B68B0E3A267AA3F94776E65495FBF70BD193523BD4DDA8E38330
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\ICSharpCode.SharpZipLib.dllexecutable
MD5:C64E6DB491A182B674C2E475D70CA82B
SHA256:A1161EA003F5BFB04323443BE4B94508B6E60D9EE42E1AD2865A55301C08546C
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\zh-CHS\WebCompanionInstaller.resources.dllexecutable
MD5:76223C7CC8EA8E414602B19217AE3917
SHA256:9C6268E01D50F76073652B87F39D18EC12831BED97F12A2C1561E27615951FF9
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Temp\WebCompanion.zipcompressed
MD5:15D23035E1779E71D65C14C5252D8AAE
SHA256:9D3B5C904CCA6546A456C6CE4FB5FAEC7B8E2A6F0A634EBC956BB50F4A3B3AD4
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHUAAB7W\styles[1].csstext
MD5:07698BA80B805D772A2AC8AC3375DF46
SHA256:78DF154E056B8220FCA4CF44526556BD64305E7FC9D25D060119641290F23143
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
GET
200
205.185.208.52:80
http://code.jquery.com/jquery-1.11.2.min.js
US
text
37.9 Kb
whitelisted
3268
WebCompanionInstaller.exe
GET
200
104.17.60.19:80
http://wcdownloadercdn.lavasoft.com/4.2.1846.3481/WebCompanion-4.2.1846.3481-prod.zip
US
compressed
9.16 Mb
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.45 Kb
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
WebCompanionInstaller.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared
3268
WebCompanionInstaller.exe
72.55.154.82:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3268
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown
3268
WebCompanionInstaller.exe
104.17.60.19:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
1228
WebCompanion.exe
72.55.154.81:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
1228
WebCompanion.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
wc-tracking.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
www.webcompanion.com
  • 104.17.114.51
  • 104.17.115.51
  • 104.17.113.51
  • 104.17.116.51
  • 104.17.112.51
malicious
webcompanion.com
  • 104.17.114.51
  • 104.17.113.51
  • 104.17.115.51
  • 104.17.112.51
  • 104.17.116.51
malicious
code.jquery.com
  • 205.185.208.52
whitelisted
wc-update-service.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.17.60.19
  • 104.17.61.19
whitelisted
rt.webcompanion.com
  • 104.17.114.51
  • 104.17.116.51
  • 104.17.112.51
  • 104.17.113.51
  • 104.17.115.51
malicious
wc-partners.lavasoft.com
  • 72.55.154.81
  • 72.55.154.82
whitelisted

Threats

No threats detected
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
7/20/2018 1:11:05 PM :-> Starting installer 4.2.1846.3481 with: .\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prod, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Antivirus not detected
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> vm_check False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> reg_check :False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WcInstaller.exe