File name:

WcInstaller.exe

Full analysis: https://app.any.run/tasks/2179dd8e-8ca7-4fe6-a267-6dacaf578b90
Verdict: Malicious activity
Analysis date: July 20, 2018, 12:10:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

201E1912AB74F06F2EC3C09AE4BFCB00

SHA1:

DEEBD168B598C633FB7510FD2D3023D18A30D484

SHA256:

2A3110E7E158344192BA7FABF3809289A5B3511ADE60D5F4ACD0DC75C11970E0

SSDEEP:

6144:31OgDPdkBAFZWjadD4sKGoa2YyGCmMSLKXo7OcehCC/6kPYAHr2TF0G:31OgLdalz5oeIZkH4F0G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WcInstaller.exe (PID: 3636)
      • WebCompanionInstaller.exe (PID: 3268)

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3268)
      • WebCompanion.exe (PID: 1228)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 3268)

    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3268)

    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 3268)

    • Creates a software uninstall entry

      • WebCompanionInstaller.exe (PID: 3268)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3364)

  • INFO

    • Reads settings of System Certificates

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3268)

    • Dropped object may contain URL's

      • WebCompanion.exe (PID: 1228)
      • WcInstaller.exe (PID: 3636)
      • WebCompanionInstaller.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 17:27:35+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.2.1846.3481
ProductVersionNumber: 4.2.1846.3481
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 4.2.1846.3481
ProductVersion: 4.2.1846.3481
CompanyName: Lavasoft
FileDescription: Web Companion Installer
InternalName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
OriginalFileName: Installer.exe
ProductName: Web Companion Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start wcinstaller.exe webcompanioninstaller.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe wcinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo= C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\program files\lavasoft\web companion\application\webcompanion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.2.1846.3481
2072"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
2820"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3020"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3268.\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prodC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\7zsa46c.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3364"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3392netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3636"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
4.2.1846.3481
Modules
Images
c:\users\admin\appdata\local\temp\wcinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
397
Read events
262
Write events
135
Delete events
0

Modification events

(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
Operation:writeName:MachineId
Value:
99bbbf31-70c3-7522-2518-5d596321c64f
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
74
Suspicious files
3
Text files
29
Unknown types
2

Dropped files

PID
Process
Filename
Type
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\ICSharpCode.SharpZipLib.dllexecutable
MD5:C64E6DB491A182B674C2E475D70CA82B
SHA256:A1161EA003F5BFB04323443BE4B94508B6E60D9EE42E1AD2865A55301C08546C
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\de-DE\WebCompanionInstaller.resources.dllexecutable
MD5:46C6DFF1778861F19406C56134F527CE
SHA256:7A0F6685EBF318828FA1DBD069A5A3DDAB00BB6A776B7169F9B54766956B3AA5
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\en-US\WebCompanionInstaller.resources.dllexecutable
MD5:9236A5FB6FBA7CF42EC9617ADCA70DFD
SHA256:38A8E90F983097053C319BAEBD8BADDE958F2357B9A57A2B76045FA50B9C4B09
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\tr-TR\WebCompanionInstaller.resources.dllexecutable
MD5:8D36B865C387D6F3B3CDE34A814ECB7B
SHA256:52335040D537E59EFA8803820E59F818181DED4C8A423A31C963C4D800CF42BD
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\fr-CA\WebCompanionInstaller.resources.dllexecutable
MD5:4A1E2D66CD994AFCC8DFADA93837606E
SHA256:7D82338BD5696118C3DFE243A08ACC855F988A7FC072F8368B1073CB0BCDA77D
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\es-ES\WebCompanionInstaller.resources.dllexecutable
MD5:1D811987C66E52A064F093C5ED8C5462
SHA256:384826226F4339399798FD5953CF84D3E15C77D2190046029B267F302A32088C
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\it-IT\WebCompanionInstaller.resources.dllexecutable
MD5:5877B38001C33B3F0602FFE769F38E5B
SHA256:EF7F971DFDE4D172443597E2CA39344606880BA2468C7CA52A3C749715A3AF5B
3268WebCompanionInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018072020180721\index.datdat
MD5:
SHA256:
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exeexecutable
MD5:8153797B877D1536DAE1BDBB6CAB8712
SHA256:162FD45CDF3274FF3CB6AA612ECCFAFCE283E075696155F603D3C19F4FCB9076
3636WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSA46C.tmp\WebCompanionInstaller.exe.configxml
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D
SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
WebCompanionInstaller.exe
GET
200
104.17.114.51:80
http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1
US
html
1.33 Kb
malicious
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3268
WebCompanionInstaller.exe
GET
200
104.17.114.51:80
http://webcompanion.com/installer/css/styles.css?1532088670
US
text
928 b
malicious
3268
WebCompanionInstaller.exe
POST
200
72.55.154.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
WebCompanionInstaller.exe
104.17.60.19:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
1228
WebCompanion.exe
72.55.154.81:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
1228
WebCompanion.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared
3268
WebCompanionInstaller.exe
72.55.154.82:80
wc-tracking.lavasoft.com
iWeb Technologies Inc.
CA
unknown
3268
WebCompanionInstaller.exe
104.17.114.51:80
www.webcompanion.com
Cloudflare Inc
US
shared
3268
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wc-tracking.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
www.webcompanion.com
  • 104.17.114.51
  • 104.17.115.51
  • 104.17.113.51
  • 104.17.116.51
  • 104.17.112.51
malicious
webcompanion.com
  • 104.17.114.51
  • 104.17.113.51
  • 104.17.115.51
  • 104.17.112.51
  • 104.17.116.51
malicious
code.jquery.com
  • 205.185.208.52
whitelisted
wc-update-service.lavasoft.com
  • 72.55.154.82
  • 72.55.154.81
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.17.60.19
  • 104.17.61.19
whitelisted
rt.webcompanion.com
  • 104.17.114.51
  • 104.17.116.51
  • 104.17.112.51
  • 104.17.113.51
  • 104.17.115.51
malicious
wc-partners.lavasoft.com
  • 72.55.154.81
  • 72.55.154.82
whitelisted

Threats

No threats detected
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
7/20/2018 1:11:05 PM :-> Starting installer 4.2.1846.3481 with: .\WebCompanionInstaller.exe --partner=KL150601 --campaign=1400 --version=4.2.1846.3481 --prod, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
7/20/2018 1:11:18 PM :-> Antivirus not detected
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> vm_check False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> reg_check :False
WebCompanionInstaller.exe
7/20/2018 1:11:19 PM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WcInstaller.exe