Malware analysis Website-Watcher 11.3 Incl Key.rar Malicious activity

Add for printing

File name:	Website-Watcher 11.3 Incl Key.rar
Full analysis:	https://app.any.run/tasks/11804a75-2ad0-41cf-956f-442af775001a
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	June 02, 2019, 09:42:59
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ransomware
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	F49B6D5C40EF5D4396F2CF6C4388C805
SHA1:	02239BD15F4DCC06CCA6A0610A1E1C0162FE585E
SHA256:	6B88D565D987EB317865C5896FB72C1BA7BFE8C96B159A89B627052CC91D1648
SSDEEP:	196608:3Ro2F53lylDsynxGjGvU1a8vku1BPd55Xz5KCYt92HOO0fv:3RLFT0bxWGvua831BH5j5DY32HOOA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - wswsetup.exe (PID: 1760)
  - wswsetup.exe (PID: 3708)
  - wswatch.exe (PID: 832)
  - wswatch.exe (PID: 1784)
  - wswatch.exe (PID: 2944)
- Loads dropped or rewritten executable
  - wswatch.exe (PID: 1784)
  - wswatch.exe (PID: 832)
  - wswatch.exe (PID: 2944)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2132)
  - wswsetup.exe (PID: 3708)
  - wswsetup.exe (PID: 1760)
  - wswsetup.tmp (PID: 1684)
- Creates files like Ransomware instruction
  - WinRAR.exe (PID: 2132)
- Creates files in the user directory
  - wswsetup.tmp (PID: 1684)
  - wswatch.exe (PID: 1784)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 2132)
- Manual execution by user
  - wswsetup.exe (PID: 1760)
  - NOTEPAD.EXE (PID: 2036)
  - NOTEPAD.EXE (PID: 1680)
  - wswatch.exe (PID: 832)
  - wswatch.exe (PID: 2944)
- Loads dropped or rewritten executable
  - wswsetup.tmp (PID: 1684)
- Application was dropped or rewritten from another process
  - wswsetup.tmp (PID: 2656)
  - wswsetup.tmp (PID: 1684)
- Creates a software uninstall entry
  - wswsetup.tmp (PID: 1684)
- Creates files in the program directory
  - wswsetup.tmp (PID: 1684)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName:	wswsetup.exe
PackingMethod:	Fastest
ModifyDate:	2011:06:21 07:04:02
OperatingSystem:	Win32
UncompressedSize:	8821760
CompressedSize:	8810786

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2132	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Website-Watcher 11.3 Incl Key.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
1680	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\jpav.txt	C:\Windows\system32\NOTEPAD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2036	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\serial.txt	C:\Windows\system32\NOTEPAD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1760	"C:\Users\admin\Desktop\wswsetup.exe"	C:\Users\admin\Desktop\wswsetup.exe		explorer.exe
User: admin Company: www.aignes.com Integrity Level: MEDIUM Description: WebSite-Watcher Setup Exit code: 0 Version:
2656	"C:\Users\admin\AppData\Local\Temp\is-FV79A.tmp\wswsetup.tmp" /SL5="$500E8,8540635,54272,C:\Users\admin\Desktop\wswsetup.exe"	C:\Users\admin\AppData\Local\Temp\is-FV79A.tmp\wswsetup.tmp	—	wswsetup.exe
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0
3708	"C:\Users\admin\Desktop\wswsetup.exe" /SPAWNWND=$60122 /NOTIFYWND=$500E8	C:\Users\admin\Desktop\wswsetup.exe		wswsetup.tmp
User: admin Company: www.aignes.com Integrity Level: HIGH Description: WebSite-Watcher Setup Exit code: 0 Version:
1684	"C:\Users\admin\AppData\Local\Temp\is-D298O.tmp\wswsetup.tmp" /SL5="$7012A,8540635,54272,C:\Users\admin\Desktop\wswsetup.exe" /SPAWNWND=$60122 /NOTIFYWND=$500E8	C:\Users\admin\AppData\Local\Temp\is-D298O.tmp\wswsetup.tmp		wswsetup.exe
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0
1784	"C:\Program Files\WebSite-Watcher\wswatch.exe"	C:\Program Files\WebSite-Watcher\wswatch.exe	—	wswsetup.tmp
User: admin Company: Aignesberger Software GmbH Integrity Level: MEDIUM Description: WebSite-Watcher Exit code: 0 Version: 11.3.0.100
832	"C:\Program Files\WebSite-Watcher\wswatch.exe"	C:\Program Files\WebSite-Watcher\wswatch.exe	—	explorer.exe
User: admin Company: Aignesberger Software GmbH Integrity Level: MEDIUM Description: WebSite-Watcher Exit code: 0 Version: 11.3.0.100
2944	"C:\Program Files\WebSite-Watcher\wswatch.exe"	C:\Program Files\WebSite-Watcher\wswatch.exe	—	explorer.exe
User: admin Company: Aignesberger Software GmbH Integrity Level: MEDIUM Description: WebSite-Watcher Exit code: 0 Version: 11.3.0.100

Add for printing

Total events

945

Read events

879

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

165

Unknown types

Dropped files

PID	Process	Filename		Type
2132	WinRAR.exe	C:\Users\admin\Desktop\rapidshare links TV Season Software MP3 Games Ebooks.url		text
		MD5:88B428BC61E50D002E6283F136792DA2	SHA256:99EFA1C8BC4FA1D1C34104C61B7F81E80E5ABCF842C92D129D4C77D81D7FF5CF
2132	WinRAR.exe	C:\Users\admin\Desktop\wswsetup.exe		executable
		MD5:BCACF81D522F0A40B573C73F2E8F0DAF	SHA256:554C9A62F4AEBF557398A1A23C8CA0E7C85695C0AB2AB1DADF3E9F9B4DAEBB86
2132	WinRAR.exe	C:\Users\admin\Desktop\Adult hardcore video list.txt		text
		MD5:AE40AFDC5BC5351606D6F15FCB7F744C	SHA256:8D84B3E3306BE36E1DEDE633E0C0BF129A80AC9084CF000B82EB178BB14DE41D
2132	WinRAR.exe	C:\Users\admin\Desktop\italianfriendfinder.url		text
		MD5:1F074305D9D091501C69381BE2A9111B	SHA256:3BA461526393663BC07550CE7E3B03BE8789B536E18BDF13A49CA0FE7D8754A3
2132	WinRAR.exe	C:\Users\admin\Desktop\rapidshare Links games.url		text
		MD5:206E677D508055AD58FA8ECA71EC2B63	SHA256:97A86EA4C196A666C7F91E51480AB3D31F87AFE3FAC6E3C4F5061146B8F0825D
2132	WinRAR.exe	C:\Users\admin\Desktop\asiafriendfinder.url		text
		MD5:BF2BD190FE666031B5841B903D3D2360	SHA256:D90F7B8D25319604DDA197F647C746D7E4102D898851875A4A9151E45AE11468
2132	WinRAR.exe	C:\Users\admin\Desktop\www.neobux.com.url		text
		MD5:CFFD6FCA132A5FFC124F48BBC787EE62	SHA256:B6D657AA6D70BEDC8C87692130D8DB8AF5DFB87B083DD35BDDCBE915B0E3DBD2
2132	WinRAR.exe	C:\Users\admin\Desktop\readme.url		text
		MD5:2FEF85F509F3280EC07DF17E73238FA6	SHA256:B780C009B2FF0120983AEE223E1C9E409AA738A6BAA1509B6C06255FF01AF2C4
2132	WinRAR.exe	C:\Users\admin\Desktop\germanfriendfinder.url		text
		MD5:6ED76233A68AA416C54A68835D7F5FCB	SHA256:6110AA2FB111A2B52C78E1C5A2271972262EB46C3927EC5ED0066FFF36688090
1760	wswsetup.exe	C:\Users\admin\AppData\Local\Temp\is-FV79A.tmp\wswsetup.tmp		executable
		MD5:6E8D9DD74363F29EDE089ECF3B989C59	SHA256:23B00B7D72A83ADAAAC640AEB82998294588EE2900B4D681C92DDBCA6D255FED

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Website-Watcher 11.3 Incl Key.rar

F49B6D5C40EF5D4396F2CF6C4388C805

02239BD15F4DCC06CCA6A0610A1E1C0162FE585E

6B88D565D987EB317865C5896FB72C1BA7BFE8C96B159A89B627052CC91D1648

196608:3Ro2F53lylDsynxGjGvU1a8vku1BPd55Xz5KCYt92HOO0fv:3RLFT0bxWGvua831BH5j5DY32HOOA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Creates files like Ransomware instruction

Creates files in the user directory

INFO

Reads Microsoft Office registry keys

Manual execution by user

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

Creates a software uninstall entry

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings