File name: | WcInstaller.exe |
Full analysis: | https://app.any.run/tasks/fba70e80-6e9f-443f-8855-698dca60c8df |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | August 13, 2019, 18:38:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3A61797CFF12598B31443D5BCE21E470 |
SHA1: | 90CD8FE538C6EAE59AAB414182A6EEBB0B5ACE6E |
SHA256: | 2C8CB61F622F8C4C4BABC19EBF9FAD759D9913C4CA47AD393448C48BAD08D71A |
SSDEEP: | 6144:m1OgDPdkBAFZWjadD4sKxJHbyDOLgI7VDh1R1KiScfwVVM20HdTA:m1OgLdanVwOv7KiwiA |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductName: | Web Companion Installer |
---|---|
OriginalFileName: | Installer.exe |
LegalCopyright: | c Lavasoft Limited. All Rights Reserved. |
InternalName: | Installer.exe |
FileDescription: | Web Companion Installer |
CompanyName: | Lavasoft |
ProductVersion: | 4.7.1987.3881 |
FileVersion: | 4.7.1987.3881 |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 4.7.1987.3881 |
FileVersionNumber: | 4.7.1987.3881 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x14b04 |
UninitializedDataSize: | - |
InitializedDataSize: | 58880 |
CodeSize: | 104960 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2010:11:18 17:27:35+01:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2196 | "C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" | C:\Users\admin\AppData\Local\Temp\WcInstaller.exe | — | explorer.exe |
User: admin Company: Lavasoft Integrity Level: MEDIUM Description: Web Companion Installer Exit code: 3221226540 Version: 4.7.1987.3881 | ||||
2916 | "C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" | C:\Users\admin\AppData\Local\Temp\WcInstaller.exe | explorer.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Installer Exit code: 0 Version: 4.7.1987.3881 | ||||
3604 | .\WebCompanionInstaller.exe --prod | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe | WcInstaller.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Exit code: 0 Version: 4.7.1987.3881 | ||||
3788 | "C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe" --nanouniqueid=1565721500210 --prod | C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe | WebCompanionInstaller.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Installer Version: 4.6.1974.3869 | ||||
1640 | .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod | C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe | WcInstaller.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Version: 4.6.1974.3869 | ||||
3076 | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | — | services.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: PresentationFontCache.exe Version: 3.0.6920.4902 built by: NetFXw7 |
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion |
Operation: | write | Name: | MachineId |
Value: 735550bb-0faf-aab3-c4f6-bbac563dacb9 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3604) WebCompanionInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3604 | WebCompanionInstaller.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | — | |
MD5:— | SHA256:— | |||
3604 | WebCompanionInstaller.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | — | |
MD5:— | SHA256:— | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\de-DE\WebCompanionInstaller.resources.dll | executable | |
MD5:56074F8728FBBBF61D6FA5C7242364BD | SHA256:6102C31CD6A2225F2A8DC1A57695F8A5B44F77FA6B980504BCBBA5D2DD8B7346 | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\ICSharpCode.SharpZipLib.dll | executable | |
MD5:56D0B6A1915B355D68C3E8D2AF082692 | SHA256:F32175CD424F7F89FD1405C4E7D40F91FF1F3A647981B1852816ED84847CCB10 | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\zh-CHS\WebCompanionInstaller.resources.dll | executable | |
MD5:7158CA8AE5B7AF947831F01E6EE23A9E | SHA256:CC0B2A00F9CDBCC1D2EE43326E79AFBF928E7A5A0B74DFD80C3913D28A2C03C1 | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe.config | xml | |
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D | SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\pt-BR\WebCompanionInstaller.resources.dll | executable | |
MD5:EF47558677617BF746324D2A9A6CA9D4 | SHA256:66287740E227E901D2FB923D29E72E92C9FA5976C7640974502E96EA18FF19F6 | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe | executable | |
MD5:983126D093D759ABE0A803043A870BFB | SHA256:14BD9A54ECFB6888500B1B419354BC79406433A563FCEC564B630C7B5FB12C3A | |||
3788 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe.config | xml | |
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D | SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC | |||
2916 | WcInstaller.exe | C:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\it-IT\WebCompanionInstaller.resources.dll | executable | |
MD5:95C77760E59AE55D66EF3A4EC27196EA | SHA256:90A5882F805856905B377F16FA92A47BC72B881AAFB0EBD0D808C4A7782DC842 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1640 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3604 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.82:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
3604 | WebCompanionInstaller.exe | GET | 200 | 104.18.88.101:80 | http://wcdownloadercdn.lavasoft.com/4.6.1974.3869/WcInstaller.exe | US | executable | 346 Kb | whitelisted |
1640 | WebCompanionInstaller.exe | GET | 200 | 104.17.177.102:80 | http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1 | US | html | 1.33 Kb | malicious |
3604 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.82:80 | http://wc-update-service.lavasoft.com/update.asmx | CA | xml | 1.45 Kb | whitelisted |
1640 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.82:80 | http://wc-update-service.lavasoft.com/update.asmx | CA | xml | 1.45 Kb | whitelisted |
1640 | WebCompanionInstaller.exe | GET | 200 | 205.185.208.52:80 | http://code.jquery.com/jquery-1.11.2.min.js | US | text | 32.4 Kb | whitelisted |
1640 | WebCompanionInstaller.exe | GET | 200 | 104.17.178.102:80 | http://webcompanion.com/installer/css/styles.css?1565721530 | US | text | 928 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1640 | WebCompanionInstaller.exe | 104.17.177.102:80 | www.webcompanion.com | Cloudflare Inc | US | shared |
1640 | WebCompanionInstaller.exe | 104.17.178.102:80 | www.webcompanion.com | Cloudflare Inc | US | shared |
1640 | WebCompanionInstaller.exe | 64.18.87.82:80 | wc-tracking.lavasoft.com | COGECODATA | CA | unknown |
3604 | WebCompanionInstaller.exe | 64.18.87.82:80 | wc-tracking.lavasoft.com | COGECODATA | CA | unknown |
3604 | WebCompanionInstaller.exe | 104.18.88.101:80 | wcdownloadercdn.lavasoft.com | Cloudflare Inc | US | shared |
1640 | WebCompanionInstaller.exe | 205.185.208.52:80 | code.jquery.com | Highwinds Network Group, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
wc-tracking.lavasoft.com |
| whitelisted |
wc-update-service.lavasoft.com |
| whitelisted |
wcdownloadercdn.lavasoft.com |
| whitelisted |
www.webcompanion.com |
| malicious |
webcompanion.com |
| malicious |
code.jquery.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3604 | WebCompanionInstaller.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3604 | WebCompanionInstaller.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1640 | WebCompanionInstaller.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
Process | Message |
---|---|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 8/13/2019 7:38:23 PM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --prod, Run as admin: True
|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True
|