b68bb1dd96485e1c6fe59ddd45eda4d2617e4387815979bff7f9c24b27b17908

General

Target

WebCompanionInstaller.exe
Size

532KB
MD5

5dcb4306382ed9fe9fb9840808ce5710
SHA1

e177f95bbed8a53fb8744aff09f5888f358f6425
SHA256

b68bb1dd96485e1c6fe59ddd45eda4d2617e4387815979bff7f9c24b27b17908
SHA512

f2e42ec5438d1b86ccebc8080248cfe5e5a56c0ccab66bd8a0232b7bee5f7937530b6617fd577ac7eeb70fe7c6b54e0aaaaf77a0353cb05cddf7a9e73c381c06
SSDEEP

12288:FG5knZfFKegHf+tCfQNerJnYJNxnj7Ui5lZ/5vPx:FG50ZfFKhGtaQNer9yVHUiHR5x

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
2896	WebCompanion-Installer.exe

Loads dropped DLL 7 IoCs

pid	Process
2668	WebCompanionInstaller.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WebCompanion-Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WebCompanion-Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WebCompanion-Installer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe
2896	WebCompanion-Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	WebCompanion-Installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28
PID 2668 wrote to memory of 2896	2668	WebCompanionInstaller.exe	28

C:\Users\Admin\AppData\Local\Temp\WebCompanionInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebCompanionInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\7zSC6A16026\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.991
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC6A16026\Newtonsoft.Json.dll

Filesize
428KB

MD5
2c2a2a2a4fab7ffda89ed084a222de8d

SHA1
b68c2669dbf563c21208b00264d532dbe3ff61ae

SHA256
9668007f68f82521b89ba74df73e943495f46be993b091d2e83b4c8fd845e193

SHA512
18eaf76b4c26c9f670510f06f7a7e35c871ad8044ac8497e4071d32dafa81eb88b204ad79f3e93fc26bb3e8218e3a6045028518826aa3277aa4f4fd09b9c72ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6A16026\WebCompanion-Installer.exe.config

Filesize
2KB

MD5
8c7654010c9d99d059990b145250d091

SHA1
df3243adf97d24bd9962f780278f07fa2dc3878f

SHA256
a0c723e353a33e8f08b49575f50a73a30ea4b711ac2f050dc36cb812c7bf2d1b

SHA512
a7a479b8bd2ec75ef4f1f36a2a552cd90f32b50441132fdcc4c31308c166dc42ace37ec3a0f79cbb3c022ee4d239e0e9f3cc588c189ba75d87b60b5eccf7d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A12.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A82.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC6A16026\WebCompanion-Installer.exe

Filesize
427KB

MD5
af06ed7f6113aa260aa4a0f8f1d74b30

SHA1
ab797fb3d58da5788bf63de6a0becbd8377961ab

SHA256
3475db98ab5264d038de9dcebcb3a45eff80b883ec26583f7fc229995768c8db

SHA512
766105bfec364b1893e5a2fa74c6c5311b1f708a927c9857bff99c908eb29ded1db2b854e635e63a046223cc9efdeb290e38a87ba6f7012b1c72d173d552cd11

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC6A16026\en-US\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
bf52d806f18ce25d50129931f2939bc9

SHA1
73ba4435d26114f6d50e9fc8c4fc683b4d606ec9

SHA256
60bd831259853b94998e9228b18b21f2bed462c3acae1c5480e508bd8602b62b

SHA512
fb2ba083e540d760a35a23983deb88b14174c4aa6e3e7bc8fb3fdc4f1d02297315adf19925dbd002776f0bf1ea25b5acd61522d15e547f135c2e86d21e24293b

Download Submit
memory/2896-36-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2896-41-0x0000000005430000-0x000000000549E000-memory.dmp

Filesize
440KB

Download
memory/2896-35-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-81-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2896-34-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2896-82-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2896-83-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-84-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2896-85-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2896-86-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2896-87-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2896-88-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2896-89-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing