analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WcInstaller.exe

Full analysis: https://app.any.run/tasks/fba70e80-6e9f-443f-8855-698dca60c8df
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 13, 2019, 18:38:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A61797CFF12598B31443D5BCE21E470

SHA1:

90CD8FE538C6EAE59AAB414182A6EEBB0B5ACE6E

SHA256:

2C8CB61F622F8C4C4BABC19EBF9FAD759D9913C4CA47AD393448C48BAD08D71A

SSDEEP:

6144:m1OgDPdkBAFZWjadD4sKxJHbyDOLgI7VDh1R1KiScfwVVM20HdTA:m1OgLdanVwOv7KiwiA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 3604)
      • WebCompanionInstaller.exe (PID: 1640)
      • WcInstaller.exe (PID: 3788)

    • Downloads executable files from the Internet

      • WebCompanionInstaller.exe (PID: 3604)

    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 1640)

  • SUSPICIOUS

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 3604)

    • Creates files in the Windows directory

      • WebCompanionInstaller.exe (PID: 3604)

    • Executable content was dropped or overwritten

      • WebCompanionInstaller.exe (PID: 3604)
      • WcInstaller.exe (PID: 2916)
      • WcInstaller.exe (PID: 3788)

    • Executed as Windows Service

      • PresentationFontCache.exe (PID: 3076)

    • Creates files in the user directory

      • WebCompanionInstaller.exe (PID: 1640)

    • Reads internet explorer settings

      • WebCompanionInstaller.exe (PID: 1640)

    • Reads Internet Cache Settings

      • WebCompanionInstaller.exe (PID: 1640)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName: Web Companion Installer
OriginalFileName: Installer.exe
LegalCopyright: c Lavasoft Limited. All Rights Reserved.
InternalName: Installer.exe
FileDescription: Web Companion Installer
CompanyName: Lavasoft
ProductVersion: 4.7.1987.3881
FileVersion: 4.7.1987.3881
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 4.7.1987.3881
FileVersionNumber: 4.7.1987.3881
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x14b04
UninitializedDataSize: -
InitializedDataSize: 58880
CodeSize: 104960
LinkerVersion: 6
PEType: PE32
TimeStamp: 2010:11:18 17:27:35+01:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start wcinstaller.exe no specs wcinstaller.exe webcompanioninstaller.exe wcinstaller.exe webcompanioninstaller.exe presentationfontcache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exeexplorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
MEDIUM
Description:
Web Companion Installer
Exit code:
3221226540
Version:
4.7.1987.3881
2916"C:\Users\admin\AppData\Local\Temp\WcInstaller.exe" C:\Users\admin\AppData\Local\Temp\WcInstaller.exe
explorer.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Exit code:
0
Version:
4.7.1987.3881
3604.\WebCompanionInstaller.exe --prodC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Exit code:
0
Version:
4.7.1987.3881
3788"C:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe" --nanouniqueid=1565721500210 --prodC:\Users\admin\AppData\Local\Temp\wctmp_1097033925\WcInstaller.exe
WebCompanionInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Version:
4.6.1974.3869
1640.\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prodC:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe
WcInstaller.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Version:
4.6.1974.3869
3076C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Version:
3.0.6920.4902 built by: NetFXw7
Total events
623
Read events
570
Write events
52
Delete events
1

Modification events

(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Web Companion
Operation:writeName:MachineId
Value:
735550bb-0faf-aab3-c4f6-bbac563dacb9
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3604) WebCompanionInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCompanionInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
25
Suspicious files
2
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
3604WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
MD5:
SHA256:
3604WebCompanionInstaller.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new
MD5:
SHA256:
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\de-DE\WebCompanionInstaller.resources.dllexecutable
MD5:56074F8728FBBBF61D6FA5C7242364BD
SHA256:6102C31CD6A2225F2A8DC1A57695F8A5B44F77FA6B980504BCBBA5D2DD8B7346
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\ICSharpCode.SharpZipLib.dllexecutable
MD5:56D0B6A1915B355D68C3E8D2AF082692
SHA256:F32175CD424F7F89FD1405C4E7D40F91FF1F3A647981B1852816ED84847CCB10
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\zh-CHS\WebCompanionInstaller.resources.dllexecutable
MD5:7158CA8AE5B7AF947831F01E6EE23A9E
SHA256:CC0B2A00F9CDBCC1D2EE43326E79AFBF928E7A5A0B74DFD80C3913D28A2C03C1
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exe.configxml
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D
SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\pt-BR\WebCompanionInstaller.resources.dllexecutable
MD5:EF47558677617BF746324D2A9A6CA9D4
SHA256:66287740E227E901D2FB923D29E72E92C9FA5976C7640974502E96EA18FF19F6
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\WebCompanionInstaller.exeexecutable
MD5:983126D093D759ABE0A803043A870BFB
SHA256:14BD9A54ECFB6888500B1B419354BC79406433A563FCEC564B630C7B5FB12C3A
3788WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zSB857.tmp\WebCompanionInstaller.exe.configxml
MD5:1D0D9D32FB69C7F2F33B4E56D93E2C6D
SHA256:C022A2B126C1BAD1774E7F9D3A5F50F30CB6B3758A2F870FC676160275F69EAC
2916WcInstaller.exeC:\Users\admin\AppData\Local\Temp\7zS9F22.tmp\it-IT\WebCompanionInstaller.resources.dllexecutable
MD5:95C77760E59AE55D66EF3A4EC27196EA
SHA256:90A5882F805856905B377F16FA92A47BC72B881AAFB0EBD0D808C4A7782DC842
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1640
WebCompanionInstaller.exe
POST
200
64.18.87.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3604
WebCompanionInstaller.exe
POST
200
64.18.87.82:80
http://wc-tracking.lavasoft.com/Install.asmx
CA
xml
294 b
whitelisted
3604
WebCompanionInstaller.exe
GET
200
104.18.88.101:80
http://wcdownloadercdn.lavasoft.com/4.6.1974.3869/WcInstaller.exe
US
executable
346 Kb
whitelisted
1640
WebCompanionInstaller.exe
GET
200
104.17.177.102:80
http://www.webcompanion.com/installer/consent_2?culture=en&hp=1&se=1
US
html
1.33 Kb
malicious
3604
WebCompanionInstaller.exe
POST
200
64.18.87.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.45 Kb
whitelisted
1640
WebCompanionInstaller.exe
POST
200
64.18.87.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
xml
1.45 Kb
whitelisted
1640
WebCompanionInstaller.exe
GET
200
205.185.208.52:80
http://code.jquery.com/jquery-1.11.2.min.js
US
text
32.4 Kb
whitelisted
1640
WebCompanionInstaller.exe
GET
200
104.17.178.102:80
http://webcompanion.com/installer/css/styles.css?1565721530
US
text
928 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1640
WebCompanionInstaller.exe
104.17.177.102:80
www.webcompanion.com
Cloudflare Inc
US
shared
1640
WebCompanionInstaller.exe
104.17.178.102:80
www.webcompanion.com
Cloudflare Inc
US
shared
1640
WebCompanionInstaller.exe
64.18.87.82:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
3604
WebCompanionInstaller.exe
64.18.87.82:80
wc-tracking.lavasoft.com
COGECODATA
CA
unknown
3604
WebCompanionInstaller.exe
104.18.88.101:80
wcdownloadercdn.lavasoft.com
Cloudflare Inc
US
shared
1640
WebCompanionInstaller.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wc-tracking.lavasoft.com
  • 64.18.87.82
  • 64.18.87.81
whitelisted
wc-update-service.lavasoft.com
  • 64.18.87.82
  • 64.18.87.81
whitelisted
wcdownloadercdn.lavasoft.com
  • 104.18.88.101
  • 104.18.87.101
whitelisted
www.webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
webcompanion.com
  • 104.17.178.102
  • 104.17.177.102
malicious
code.jquery.com
  • 205.185.208.52
whitelisted

Threats

PID
Process
Class
Message
3604
WebCompanionInstaller.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3604
WebCompanionInstaller.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1640
WebCompanionInstaller.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
8/13/2019 7:38:23 PM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --prod, Run as admin: True
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
8/13/2019 7:38:26 PM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --prod --nanouniqueid=1565721500210 --prod, Run as admin: True
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WcInstaller.exe