analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WeMod-Setup.exe

Full analysis: https://app.any.run/tasks/cec49a49-9421-4f8a-b8b7-031280292fa2
Verdict: Malicious activity
Analysis date: November 08, 2019, 15:24:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E0BF99717F74E9E01BED819CEE22D905

SHA1:

AC805270F760A0041F3ECB2448C32C9886EF6739

SHA256:

7BCBC8329A84A0986D24EC8F93AF8FBEC48D928F4406DD03DFFDBB34F1D8BB30

SSDEEP:

1536:uP3C75n6UGB8M/kLu9qtz5IsH6aEu4afE91rkc3/oclgRV905bPy+9G:8Sx6UG+Fu9qwIXfE/kc3/ov2e+9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Update.exe (PID: 1316)
      • Update.exe (PID: 1944)
      • Update.exe (PID: 3452)
      • Squirrel.exe (PID: 3492)
      • Update.exe (PID: 2844)

    • Loads dropped or rewritten executable

      • WeMod.exe (PID: 2276)
      • WeMod.exe (PID: 3964)
      • WeMod.exe (PID: 2660)
      • WeMod.exe (PID: 520)
      • WeMod.exe (PID: 2248)

  • SUSPICIOUS

    • Creates files in the user directory

      • WeMod-Setup.exe (PID: 1896)
      • Update.exe (PID: 1316)
      • WeMod.exe (PID: 3964)

    • Creates a software uninstall entry

      • Update.exe (PID: 1944)

    • Reads Environment values

      • Update.exe (PID: 1944)
      • Update.exe (PID: 2844)

    • Application launched itself

      • WeMod.exe (PID: 3964)
      • WeMod.exe (PID: 2660)

    • Executable content was dropped or overwritten

      • Squirrel.exe (PID: 3492)
      • WeMod-6.2.7[1].exe (PID: 3856)
      • Update.exe (PID: 1944)

    • Modifies the open verb of a shell class

      • WeMod.exe (PID: 3964)

  • INFO

    • Reads the hosts file

      • WeMod.exe (PID: 2660)
      • WeMod.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

ProductVersion: 5.0.0.0
ProductName: WeMod
LegalCopyright: Copyright (C) 2018
FileVersion: 5.0.0.0
FileDescription: WeMod Setup
CompanyName: Daring Development Inc.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.0.0.0
FileVersionNumber: 5.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x20950
UninitializedDataSize: 77824
InitializedDataSize: 16384
CodeSize: 53248
LinkerVersion: 14.15
PEType: PE32
TimeStamp: 2018:09:27 04:43:27+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Sep-2018 02:43:27
Detected languages:
  • English - United States
CompanyName: Daring Development Inc.
FileDescription: WeMod Setup
FileVersion: 5.0.0.0
LegalCopyright: Copyright (C) 2018
ProductName: WeMod
ProductVersion: 5.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 27-Sep-2018 02:43:27
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00013000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00014000
0x0000D000
0x0000CC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.91245
.rsrc
0x00021000
0x00004000
0x00003800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.67704

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.14523
1556
UNKNOWN
English - United States
RT_MANIFEST
102
1.51664
20
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

GDI32.dll
KERNEL32.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
gdiplus.dll
urlmon.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
13
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start wemod-setup.exe wemod-6.2.7[1].exe update.exe squirrel.exe wemod.exe no specs update.exe no specs wemod.exe no specs update.exe no specs wemod.exe wemod.exe no specs wemod.exe no specs wemod.exe no specs update.exe

Process information

PID
CMD
Path
Indicators
Parent process
1896"C:\Users\admin\AppData\Local\Temp\WeMod-Setup.exe" C:\Users\admin\AppData\Local\Temp\WeMod-Setup.exe
explorer.exe
User:
admin
Company:
Daring Development Inc.
Integrity Level:
MEDIUM
Description:
WeMod Setup
Exit code:
0
Version:
5.0.0.0
3856"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\WeMod-6.2.7[1].exe" --silentC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\WeMod-6.2.7[1].exe
WeMod-Setup.exe
User:
admin
Company:
WeMod
Integrity Level:
MEDIUM
Description:
WeMod - Cheats and Mods
Exit code:
0
Version:
6.2.7
1944"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silentC:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
WeMod-6.2.7[1].exe
User:
admin
Company:
GitHub
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.9.1.0
3492"C:\Users\admin\AppData\Local\WeMod\app-6.2.7\Squirrel.exe" --updateSelf=C:\Users\admin\AppData\Local\SquirrelTemp\Update.exeC:\Users\admin\AppData\Local\WeMod\app-6.2.7\Squirrel.exe
Update.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660"C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exe" --squirrel-install 6.2.7C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exeUpdate.exe
User:
admin
Company:
WeMod
Integrity Level:
MEDIUM
Description:
WeMod - Cheats and Mods
Exit code:
0
Version:
6.2.7
1316C:\Users\admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exeC:\Users\admin\AppData\Local\WeMod\Update.exeWeMod.exe
User:
admin
Company:
GitHub
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.9.1.0
2276"C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exe" --type=gpu-process --field-trial-handle=1152,2571582987136341375,14975323822799265097,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --service-request-channel-token=15640722177483167165 --mojo-platform-channel-handle=1156 --ignored=" --type=renderer " /prefetch:2C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exeWeMod.exe
User:
admin
Company:
WeMod
Integrity Level:
LOW
Description:
WeMod - Cheats and Mods
Exit code:
0
Version:
6.2.7
3452"C:\Users\admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://?_inst=6wZQ2ctVROl69pEU"C:\Users\admin\AppData\Local\WeMod\Update.exeWeMod-Setup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3964"C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exe" wemod://?_inst=6wZQ2ctVROl69pEUC:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exe
Update.exe
User:
admin
Company:
WeMod
Integrity Level:
MEDIUM
Description:
WeMod - Cheats and Mods
Version:
6.2.7
520"C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exe" --type=gpu-process --field-trial-handle=1080,15786151774496379567,7409869370519320832,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --service-request-channel-token=5408731606948648093 --mojo-platform-channel-handle=1096 --ignored=" --type=renderer " /prefetch:2C:\Users\admin\AppData\Local\WeMod\app-6.2.7\WeMod.exeWeMod.exe
User:
admin
Company:
WeMod
Integrity Level:
LOW
Description:
WeMod - Cheats and Mods
Exit code:
4
Version:
6.2.7
Total events
1 731
Read events
1 622
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
6
Text files
20
Unknown types
59

Dropped files

PID
Process
Filename
Type
1896WeMod-Setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\WeMod-6.2.7[1].exe
MD5:
SHA256:
3856WeMod-6.2.7[1].exeC:\Users\admin\AppData\Local\SquirrelTemp\WeMod-6.2.7-full.nupkg
MD5:
SHA256:
1944Update.exeC:\Users\admin\AppData\Local\WeMod\packages\WeMod-6.2.7-full.nupkg
MD5:
SHA256:
1944Update.exeC:\Users\admin\AppData\Local\WeMod\app-6.2.7\icudtl.dat
MD5:
SHA256:
3856WeMod-6.2.7[1].exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:0BC30810D91EF71A9C774A08A9536652
SHA256:2FCBD6033C3258D4363C727680C786A320E7BF9D463E0F44B1B0E123ACA8EF12
1944Update.exeC:\Users\admin\AppData\Local\WeMod\app-6.2.7\Infinity.exeexecutable
MD5:9DAEC87F4C3D988BC974E3017D373268
SHA256:759C15A63BB8B813229315D47A7C7C23E718E188719E98C6A1F79AE8A43A09E7
1896WeMod-Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@wemod[1].txttext
MD5:641ECDE801353FECA110C6CBDB481200
SHA256:EF396865B82CBF38472FBA917C558DC4D72BDD983F8F6FBD20A4E270BE422FEA
1944Update.exeC:\Users\admin\AppData\Local\WeMod\Update.exeexecutable
MD5:6C8FDB5C1429E2594C3CF9C11BA9EE1C
SHA256:78C393D4E54E59A5B744807CB79BD664BC4CDAEFDC85DCF3772F5E302F5D86CF
3856WeMod-6.2.7[1].exeC:\Users\admin\AppData\Local\SquirrelTemp\RELEASEStext
MD5:FC7B6C2AFE6FBACD4F65BB44B0BD5C4F
SHA256:5A4235CCF54C9B0530A19CF394413552244BFCADFD616DD47BB705B6AB046C76
1944Update.exeC:\Users\admin\AppData\Local\WeMod\app-6.2.7\libEGL.dllexecutable
MD5:A04AD4C7BDF609A15DD6E4526626DF95
SHA256:516093CC14ACD1C294B029B5BF934B6AF52C844FEF55DAEAA0E69C4F256182D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
9
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1896
WeMod-Setup.exe
104.24.26.12:443
api.wemod.com
Cloudflare Inc
US
shared
185.172.148.132:443
api-cdn.wemod.com
proinity GmbH
DE
malicious
1896
WeMod-Setup.exe
104.24.27.12:443
api.wemod.com
Cloudflare Inc
US
shared
216.58.207.78:443
www.google-analytics.com
Google Inc.
US
whitelisted
2844
Update.exe
104.24.27.12:443
api.wemod.com
Cloudflare Inc
US
shared
1944
Update.exe
104.24.26.12:443
api.wemod.com
Cloudflare Inc
US
shared
3964
WeMod.exe
104.24.26.12:443
api.wemod.com
Cloudflare Inc
US
shared
3.232.151.45:443
ws.pusherapp.com
US
unknown
3964
WeMod.exe
216.58.207.40:443
www.googletagmanager.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.wemod.com
  • 104.24.27.12
  • 104.24.26.12
unknown
storage-cdn.wemod.com
  • 104.24.26.12
  • 104.24.27.12
suspicious
www.googletagmanager.com
  • 216.58.207.40
whitelisted
ws.pusherapp.com
  • 3.232.151.45
  • 18.205.132.29
  • 174.129.78.50
  • 3.220.236.99
  • 54.85.229.255
  • 3.234.84.213
  • 54.88.34.75
  • 18.214.199.84
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted
api-cdn.wemod.com
  • 185.172.148.132
malicious
community.wemod.com
  • 104.24.27.12
  • 104.24.26.12
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WeMod-Setup.exe