analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe

Full analysis: https://app.any.run/tasks/dedc4ddf-5709-4aff-8e0a-c9410bbbae04
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 30, 2021, 16:26:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

76E3B343BEBE479C7EA10483CCDF7DB8

SHA1:

D059C8AF9ECA5672E39457542F23756EE53D38DA

SHA256:

4DB77FC13840323EC44F729600AF436CFCF5800569E2AF9E936A50CCDCCB009F

SSDEEP:

3:N1KNR3rB5yRnBxELX0vQRfCLX0EdVt:CH3knsTRO/dVt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • WildTangentHelper-1.0.0.437.exe (PID: 556)
      • WildTangentHelper-1.0.0.437.exe (PID: 2364)
      • nsB151.tmp (PID: 3864)
      • nsB2AA.tmp (PID: 1892)
      • nsB402.tmp (PID: 2556)
      • nsB740.tmp (PID: 3692)
      • WildTangentHelperService.exe (PID: 2732)
      • WildTangentHelperService.exe (PID: 3440)
      • nsB915.tmp (PID: 1392)
      • nsC49F.tmp (PID: 928)

    • Drops executable file immediately after starts

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Loads dropped or rewritten executable

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Starts NET.EXE for service management

      • nsB2AA.tmp (PID: 1892)
      • nsB915.tmp (PID: 1392)

    • Changes settings of System certificates

      • WildTangentHelperService.exe (PID: 3440)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • iexplore.exe (PID: 2528)
      • iexplore.exe (PID: 2504)
      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2528)
      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Creates a directory in Program Files

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Starts application with an unusual extension

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Drops a file that was compiled in debug mode

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Creates files in the program directory

      • WildTangentHelper-1.0.0.437.exe (PID: 556)
      • WildTangentHelperService.exe (PID: 2732)

    • Creates a software uninstall entry

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Uses TASKKILL.EXE to kill process

      • nsB402.tmp (PID: 2556)

    • Drops a file with a compile date too recent

      • WildTangentHelper-1.0.0.437.exe (PID: 556)

    • Executed as Windows Service

      • WildTangentHelperService.exe (PID: 3440)

    • Creates files in the user directory

      • WildTangentHelperService.exe (PID: 2732)

    • Starts SC.EXE for service management

      • nsC49F.tmp (PID: 928)

    • Creates files in the Windows directory

      • WildTangentHelperService.exe (PID: 3440)

    • Creates or modifies windows services

      • WildTangentHelperService.exe (PID: 3440)

    • Removes files from Windows directory

      • WildTangentHelperService.exe (PID: 3440)

    • Adds / modifies Windows certificates

      • WildTangentHelperService.exe (PID: 3440)

  • INFO

    • Changes settings of System certificates

      • iexplore.exe (PID: 2528)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2528)
      • WildTangentHelperService.exe (PID: 3440)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2528)

    • Application launched itself

      • iexplore.exe (PID: 2528)

    • Changes internet zones settings

      • iexplore.exe (PID: 2528)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
18
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe wildtangenthelper-1.0.0.437.exe no specs wildtangenthelper-1.0.0.437.exe nsb151.tmp no specs nsb2aa.tmp no specs net.exe no specs net1.exe no specs nsb402.tmp no specs taskkill.exe no specs nsb740.tmp no specs wildtangenthelperservice.exe nsb915.tmp no specs net.exe no specs net1.exe no specs wildtangenthelperservice.exe nsc49f.tmp no specs sc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2528"C:\Program Files\Internet Explorer\iexplore.exe" http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2504"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2528 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2364"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exeiexplore.exe
User:
admin
Company:
gamigo, Inc.
Integrity Level:
MEDIUM
Description:
WildTangentHelper
Exit code:
3221226540
Version:
1.0.0.437
556"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe
iexplore.exe
User:
admin
Company:
gamigo, Inc.
Integrity Level:
HIGH
Description:
WildTangentHelper
Exit code:
0
Version:
1.0.0.437
3864"C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB151.tmp" "C:\Program Files\WildTangent Games\Integration\WildTangentHelperService.exe" /LockServiceC:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB151.tmpWildTangentHelper-1.0.0.437.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225501
1892"C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB2AA.tmp" net stop wildtangenthelperC:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB2AA.tmpWildTangentHelper-1.0.0.437.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
3304net stop wildtangenthelperC:\Windows\system32\net.exensB2AA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3796C:\Windows\system32\net1 stop wildtangenthelperC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2556"C:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB402.tmp" taskkill /fi "IMAGENAME eq WildTangentHelperService.exe" /t /fC:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB402.tmpWildTangentHelper-1.0.0.437.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1536taskkill /fi "IMAGENAME eq WildTangentHelperService.exe" /t /fC:\Windows\system32\taskkill.exensB402.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
811
Read events
648
Write events
0
Delete events
0

Modification events

No data
Executable files
27
Suspicious files
30
Text files
18
Unknown types
9

Dropped files

PID
Process
Filename
Type
2504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\WildTangentHelper-1.0.0.437[1].exe
MD5:
SHA256:
2504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe.lnumaz7.partial
MD5:
SHA256:
2528iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8DD285A64AF8EB0F.TMP
MD5:
SHA256:
2528iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exe.lnumaz7.partial:Zone.Identifier
MD5:
SHA256:
556WildTangentHelper-1.0.0.437.exeC:\Users\admin\AppData\Local\Temp\nsfB140.tmp\nsB151.tmpexecutable
MD5:279BAA18BA64F9C8A8FFB91CD4C53469
SHA256:9DAE470D35319ED412EE4B4F636AFCA5C3F4F5012D9D9F88255E8A24CA803C46
556WildTangentHelper-1.0.0.437.exeC:\Program Files\WildTangent Games\Integration\HelperUpdater.newexecutable
MD5:0B7706BDE8651CAEE9968F9319793255
SHA256:FFA86DABA7317EC49FE2C186F54FB0D5392D84BEBE7AD5B836255A2B0C0892D4
556WildTangentHelper-1.0.0.437.exeC:\Program Files\WildTangent Games\Integration\GameLauncherDllx64.newexecutable
MD5:1516A7DD670C30F386826022B8E7527C
SHA256:DA2FBC0BC3DE0B7DFA5F40D05AF4F372580248D42B822DA0740CDA39943D45B5
556WildTangentHelper-1.0.0.437.exeC:\Program Files\WildTangent Games\Integration\uninstaller.newexecutable
MD5:08304FE47722E2E0979109D30D7274DF
SHA256:8930A1CE709BA7B100BE6E649B64DDAC67E1800FFF9D37641200FD2796EECA64
2528iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WildTangentHelper-1.0.0.437.exeexecutable
MD5:BDED9C3ACBC05C8DC6CF6E1AB46595DF
SHA256:0D56B010BB9C12B7BA02A3941E84548F3F97BC026657386FFA2C4A9939A82162
556WildTangentHelper-1.0.0.437.exeC:\Program Files\WildTangent Games\Integration\GameLauncherx64.newexecutable
MD5:DF27ECFBE5E034E5A323CDC12264FC66
SHA256:AE52D75E3E8CF9F444B4F08B5B447167AC8B05F4393F65D6A851B0187EDB917D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
20
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3440
WildTangentHelperService.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2504
iexplore.exe
GET
200
151.139.241.10:80
http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe
US
executable
3.13 Mb
suspicious
3440
WildTangentHelperService.exe
GET
200
13.32.23.96:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3440
WildTangentHelperService.exe
GET
200
13.32.23.204:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
2528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3440
WildTangentHelperService.exe
GET
200
13.32.23.89:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3440
WildTangentHelperService.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2528
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3440
WildTangentHelperService.exe
143.204.202.10:443
clientservices.wildtangent.com
US
suspicious
3440
WildTangentHelperService.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2528
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3440
WildTangentHelperService.exe
151.139.241.4:443
onlinecheck.wildtangent.com
netDNA
US
unknown
2504
iexplore.exe
151.139.241.10:80
stackpathdownload.wildgames.com
netDNA
US
suspicious
3440
WildTangentHelperService.exe
13.32.23.204:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3440
WildTangentHelperService.exe
13.32.23.89:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3440
WildTangentHelperService.exe
13.32.23.96:80
o.ss2.us
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
stackpathdownload.wildgames.com
  • 151.139.241.10
suspicious
onlinecheck.wildtangent.com
  • 151.139.241.4
suspicious
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.sectigo.com
  • 151.139.128.14
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
clientservices.wildtangent.com
  • 143.204.202.10
  • 143.204.202.28
  • 143.204.202.42
  • 143.204.202.105
whitelisted
o.ss2.us
  • 13.32.23.96
  • 13.32.23.16
  • 13.32.23.104
  • 13.32.23.215
whitelisted

Threats

PID
Process
Class
Message
2504
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2504
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: ---------------------------Start Install---------------------------
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: Delete obsolete files
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: Delete any .bak files
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: Delete any .new files
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: Place all .new files
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: Stopping WTHelper
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: StopWTHelperWait : Begin
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: StopWTHelperWait : End
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: RetryRenameFiles() : Returning true - complete w/o errors
WildTangentHelper-1.0.0.437.exe
WTHelperInstallUninstall :: File operations completed successfully
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://stackpathdownload.wildgames.com/WildTangentHelperUpdate/WildTangentHelper-1.0.0.437.exe