analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

wcupdater.exe.zip

Full analysis: https://app.any.run/tasks/64b6d8a8-34b0-4f06-a1be-cc3715a2a944
Verdict: Malicious activity
Analysis date: October 14, 2019, 17:13:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pua
lavasoft
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EB2324F88F052366A21CCC8D7025EF55

SHA1:

580917FF4F699FC3A7CA488EA5C7D2549E094783

SHA256:

517EA4284B27CA36F7130E8D0D9831CD7B2DCD220FD3AD7BA3B7257FA1A59B36

SSDEEP:

12288:bsdeY1xpCLQcETNUPCv98qguisAtUQ9XprlAEG3:Id5CLyThxMLAEK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wcupdater.exe (PID: 1212)
      • wcupdater.exe (PID: 1296)
      • GenericSetup.exe (PID: 4092)
      • installer.exe (PID: 2824)
      • wcupdater.exe (PID: 3360)
      • installer.exe (PID: 3008)
      • wcupdater.exe (PID: 2620)
      • installer.exe (PID: 4028)
      • GenericSetup.exe (PID: 3996)
      • installer.exe (PID: 932)
      • wcupdater.exe (PID: 1248)
      • installer.exe (PID: 2684)
      • GenericSetup.exe (PID: 3448)
    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 4092)
      • GenericSetup.exe (PID: 3996)
      • GenericSetup.exe (PID: 3448)
    • LAVASOFT was detected

      • installer.exe (PID: 2824)
      • installer.exe (PID: 932)
      • installer.exe (PID: 2684)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wcupdater.exe (PID: 1212)
      • WinRAR.exe (PID: 2576)
      • wcupdater.exe (PID: 1296)
      • wcupdater.exe (PID: 3360)
      • wcupdater.exe (PID: 1248)
    • Reads Environment values

      • GenericSetup.exe (PID: 4092)
      • GenericSetup.exe (PID: 3996)
      • GenericSetup.exe (PID: 3448)
    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 4092)
      • GenericSetup.exe (PID: 3996)
      • GenericSetup.exe (PID: 3448)
    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 4092)
      • GenericSetup.exe (PID: 3996)
      • GenericSetup.exe (PID: 3448)
    • Searches for installed software

      • GenericSetup.exe (PID: 4092)
      • GenericSetup.exe (PID: 3448)
      • GenericSetup.exe (PID: 3996)
  • INFO

    • Manual execution by user

      • wcupdater.exe (PID: 1212)
      • wcupdater.exe (PID: 1296)
      • wcupdater.exe (PID: 3360)
      • wcupdater.exe (PID: 2620)
      • wcupdater.exe (PID: 1248)
      • WINWORD.EXE (PID: 3336)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3336)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2017:05:12 19:37:29
ZipCRC: 0xc54e3b2b
ZipCompressedSize: 642330
ZipUncompressedSize: 729368
ZipFileName: wcupdater.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
15
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe wcupdater.exe #LAVASOFT installer.exe genericsetup.exe wcupdater.exe installer.exe no specs wcupdater.exe no specs installer.exe no specs wcupdater.exe #LAVASOFT installer.exe genericsetup.exe wcupdater.exe #LAVASOFT installer.exe genericsetup.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\wcupdater.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1212"C:\Users\admin\Desktop\wcupdater.exe" C:\Users\admin\Desktop\wcupdater.exe
explorer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
WebCompanion
Exit code:
0
Version:
1.7.0.0
2824.\installer.exeC:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\installer.exe
wcupdater.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
adaware installer
Exit code:
0
Version:
1.7.0.116
4092"C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\GenericSetup.exe"C:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
GenericSetup
Exit code:
0
Version:
1.7.0.116
1296"C:\Users\admin\Desktop\wcupdater.exe" C:\Users\admin\Desktop\wcupdater.exe
explorer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
WebCompanion
Exit code:
0
Version:
1.7.0.0
3008.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS0157DCD9\installer.exewcupdater.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
adaware installer
Exit code:
0
Version:
1.7.0.116
2620"C:\Users\admin\Desktop\wcupdater.exe" C:\Users\admin\Desktop\wcupdater.exeexplorer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
WebCompanion
Exit code:
0
Version:
1.7.0.0
4028.\installer.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\installer.exewcupdater.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
adaware installer
Exit code:
0
Version:
1.7.0.116
3360"C:\Users\admin\Desktop\wcupdater.exe" C:\Users\admin\Desktop\wcupdater.exe
explorer.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
WebCompanion
Exit code:
0
Version:
1.7.0.0
932.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS02D6DDBA\installer.exe
wcupdater.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
adaware installer
Exit code:
0
Version:
1.7.0.116
Total events
10 421
Read events
10 046
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
0
Text files
39
Unknown types
4

Dropped files

PID
Process
Filename
Type
2620wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\GenericSetup.exe
MD5:
SHA256:
2620wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\installer.exe
MD5:
SHA256:
2620wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\DevLib.dll
MD5:
SHA256:
2620wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\en\DevLib.resources.dll
MD5:
SHA256:
2620wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSC3AEEA3A\fr\DevLib.resources.dll
MD5:
SHA256:
1212wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\DevLib.dllexecutable
MD5:25580DB794E9EC64041D5E6812FFF9FD
SHA256:47733A5820D1292FD1035B8389E19153AD52B0F1C0360B15977CA98FF4F45EB4
1296wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zS0157DCD9\BundleConfig.xmltext
MD5:37FB1F4F67829A62A60D8C714B35600E
SHA256:67044B37218861A0C31C05A00EB762BEEEAA660C89B5E162566C6D5926D13FF6
1212wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\BundleConfig.xmltext
MD5:37FB1F4F67829A62A60D8C714B35600E
SHA256:67044B37218861A0C31C05A00EB762BEEEAA660C89B5E162566C6D5926D13FF6
2824installer.exeC:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\2019.10.14_18.14.28.831625_installer_pid=2824.txt
MD5:
SHA256:
1212wcupdater.exeC:\Users\admin\AppData\Local\Temp\7zSCB4DEDF9\fr\DevLib.resources.dllexecutable
MD5:0EC41D99A55A3D6403EC9607B296DC3C
SHA256:BF5F114D1BEC733335D511AF7324F57199931E4A8808C0AA902869781D59BCF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3448
GenericSetup.exe
POST
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
US
whitelisted
4092
GenericSetup.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallComplete
US
text
29 b
whitelisted
932
installer.exe
POST
200
104.18.87.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
US
text
29 b
whitelisted
4092
GenericSetup.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved
US
text
29 b
whitelisted
932
installer.exe
POST
200
104.18.87.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
US
text
29 b
whitelisted
2824
installer.exe
POST
200
104.18.87.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
US
text
29 b
whitelisted
3996
GenericSetup.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
US
text
29 b
whitelisted
4092
GenericSetup.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
US
text
29 b
whitelisted
3448
GenericSetup.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
US
text
29 b
whitelisted
2684
installer.exe
POST
200
104.18.87.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
US
text
29 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2824
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
4092
GenericSetup.exe
104.18.88.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
4092
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
3996
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
932
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
3996
GenericSetup.exe
104.18.88.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
3448
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
2684
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
3448
GenericSetup.exe
104.18.88.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.208.36
whitelisted
sos.adaware.com
  • 104.16.235.79
  • 104.16.236.79
whitelisted
flow.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted

Threats

PID
Process
Class
Message
2824
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
932
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
2684
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
No debug info