b68bb1dd96485e1c6fe59ddd45eda4d2617e4387815979bff7f9c24b27b17908

General

Target

WebCompanionInstaller.exe
Size

532KB
MD5

5dcb4306382ed9fe9fb9840808ce5710
SHA1

e177f95bbed8a53fb8744aff09f5888f358f6425
SHA256

b68bb1dd96485e1c6fe59ddd45eda4d2617e4387815979bff7f9c24b27b17908
SHA512

f2e42ec5438d1b86ccebc8080248cfe5e5a56c0ccab66bd8a0232b7bee5f7937530b6617fd577ac7eeb70fe7c6b54e0aaaaf77a0353cb05cddf7a9e73c381c06
SSDEEP

12288:FG5knZfFKegHf+tCfQNerJnYJNxnj7Ui5lZ/5vPx:FG50ZfFKhGtaQNer9yVHUiHR5x

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1868	WebCompanion-Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
1868	WebCompanion-Installer.exe
1868	WebCompanion-Installer.exe
1868	WebCompanion-Installer.exe
1868	WebCompanion-Installer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1868	WebCompanion-Installer.exe
1868	WebCompanion-Installer.exe
1868	WebCompanion-Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	WebCompanion-Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1868	4248	WebCompanionInstaller.exe	84
PID 4248 wrote to memory of 1868	4248	WebCompanionInstaller.exe	84
PID 4248 wrote to memory of 1868	4248	WebCompanionInstaller.exe	84

C:\Users\Admin\AppData\Local\Temp\WebCompanionInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebCompanionInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\7zS8902BEE7\WebCompanion-Installer.exe
  .\WebCompanion-Installer.exe --partner=newwebsite --version=12.1.2.991
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8902BEE7\Newtonsoft.Json.dll

Filesize
428KB

MD5
2c2a2a2a4fab7ffda89ed084a222de8d

SHA1
b68c2669dbf563c21208b00264d532dbe3ff61ae

SHA256
9668007f68f82521b89ba74df73e943495f46be993b091d2e83b4c8fd845e193

SHA512
18eaf76b4c26c9f670510f06f7a7e35c871ad8044ac8497e4071d32dafa81eb88b204ad79f3e93fc26bb3e8218e3a6045028518826aa3277aa4f4fd09b9c72ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8902BEE7\WebCompanion-Installer.exe

Filesize
427KB

MD5
af06ed7f6113aa260aa4a0f8f1d74b30

SHA1
ab797fb3d58da5788bf63de6a0becbd8377961ab

SHA256
3475db98ab5264d038de9dcebcb3a45eff80b883ec26583f7fc229995768c8db

SHA512
766105bfec364b1893e5a2fa74c6c5311b1f708a927c9857bff99c908eb29ded1db2b854e635e63a046223cc9efdeb290e38a87ba6f7012b1c72d173d552cd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8902BEE7\WebCompanion-Installer.exe.config

Filesize
2KB

MD5
8c7654010c9d99d059990b145250d091

SHA1
df3243adf97d24bd9962f780278f07fa2dc3878f

SHA256
a0c723e353a33e8f08b49575f50a73a30ea4b711ac2f050dc36cb812c7bf2d1b

SHA512
a7a479b8bd2ec75ef4f1f36a2a552cd90f32b50441132fdcc4c31308c166dc42ace37ec3a0f79cbb3c022ee4d239e0e9f3cc588c189ba75d87b60b5eccf7d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8902BEE7\en-US\WebCompanion-Installer.resources.dll

Filesize
6KB

MD5
bf52d806f18ce25d50129931f2939bc9

SHA1
73ba4435d26114f6d50e9fc8c4fc683b4d606ec9

SHA256
60bd831259853b94998e9228b18b21f2bed462c3acae1c5480e508bd8602b62b

SHA512
fb2ba083e540d760a35a23983deb88b14174c4aa6e3e7bc8fb3fdc4f1d02297315adf19925dbd002776f0bf1ea25b5acd61522d15e547f135c2e86d21e24293b

Download Submit
memory/1868-45-0x0000000006170000-0x00000000061DE000-memory.dmp

Filesize
440KB

Download
memory/1868-48-0x0000000006D30000-0x0000000006D96000-memory.dmp

Filesize
408KB

Download
memory/1868-36-0x0000000004FB0000-0x0000000005000000-memory.dmp

Filesize
320KB

Download
memory/1868-37-0x0000000005000000-0x0000000005012000-memory.dmp

Filesize
72KB

Download
memory/1868-38-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/1868-39-0x0000000005060000-0x00000000050AC000-memory.dmp

Filesize
304KB

Download
memory/1868-40-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/1868-34-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1868-33-0x00000000005B0000-0x000000000061E000-memory.dmp

Filesize
440KB

Download
memory/1868-46-0x00000000067E0000-0x0000000006800000-memory.dmp

Filesize
128KB

Download
memory/1868-47-0x0000000006800000-0x0000000006B54000-memory.dmp

Filesize
3.3MB

Download
memory/1868-35-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/1868-31-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-52-0x0000000007170000-0x0000000007178000-memory.dmp

Filesize
32KB

Download
memory/1868-53-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-54-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1868-55-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/1868-56-0x00000000055C0000-0x00000000055C8000-memory.dmp

Filesize
32KB

Download
memory/1868-57-0x00000000055D0000-0x00000000055D8000-memory.dmp

Filesize
32KB

Download
memory/1868-58-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1868-59-0x0000000005560000-0x0000000005598000-memory.dmp

Filesize
224KB

Download
memory/1868-60-0x0000000005530000-0x000000000553E000-memory.dmp

Filesize
56KB

Download
memory/1868-61-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing