Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MicrosoftEdgeUpdateSetup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.9296610143602315
Filename:	MicrosoftEdgeUpdateSetup.exe
Filesize:	1634896
MD5:	e0596bfb4ce5773932f2c2047e2de77b
SHA1:	41120d88d333fad440718a288f29920f040cd832
SHA256:	74a4f68219998688ddd9e14d4a10c6c451cbd77f91f7ea0e27f8dd17f70eeaa9
SHA512:	17246a57b137ae445437fd168adaf436b9e907c3c47294ff43b4da149056274fb40935c0f3d351598dcd74e46f6d53e55e94a461bef547922dd49616f9b4682b
SSDEEP:	49152:+iEv35k+M4aZulnVkK4cvsZgtIQ94blEQn:+iykp4aZoVkmYgdilEQn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6i..6i..6i.."...=i.."....i..T...'i..T..."i......;i..T....i.."...%i.."...7i.."...;i..6i...i....p.7i..6i..`i......7i..Rich6i.

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain checking for user administrative privileges	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to download and execute PE files	Networking	Ingress Tool Transfer
Contains functionality to download and launch executables	Persistence and Installation Behavior	Process Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API Process Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the program directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary	Security Software Discovery
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RuntimeBrokers[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RuntimeBrokers[1].exe
Category:	dropped
Dump:	RuntimeBrokers[1].exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.3128254526480045
Encrypted:	false
Ssdeep:	24576:oPXhNTSxm9xCr5xFjftqgpIiS8u9LmXI6vPz3zTSucLNDiO8emB2qFmpiIQyKn1o:o/oBftWLmXIAPz36vNDi5BFmpiIQyKny
Size:	1770080
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\common[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\common[1].dll
Category:	dropped
Dump:	common[1].dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.767280363456254
Encrypted:	false
Ssdeep:	49152:TTcKPhmbTTBpHO0e9iNImYz88p4wi1ZxpEvHYyAadSPEssLT3hrxcMQyKJgW8i2P:TvGFpHM9iNITzLteZSHnpfssprx/Co
Size:	3925088
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Roaming\RuntimeBrokers.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\RuntimeBrokers.exe
Category:	dropped
Dump:	RuntimeBrokers.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.3128254526480045
Encrypted:	false
Ssdeep:	24576:oPXhNTSxm9xCr5xFjftqgpIiS8u9LmXI6vPz3zTSucLNDiO8emB2qFmpiIQyKn1o:o/oBftWLmXIAPz36vNDi5BFmpiIQyKny
Size:	1770080
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query network adapater information	Malware Analysis System Evasion	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\common.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\common.dll
Category:	dropped
Dump:	common.dll.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.767280363456254
Encrypted:	false
Ssdeep:	49152:TTcKPhmbTTBpHO0e9iNImYz88p4wi1ZxpEvHYyAadSPEssLT3hrxcMQyKJgW8i2P:TvGFpHM9iNITzLteZSHnpfssprx/Co
Size:	3925088
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe

"C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6568
Target ID:	0
Parent PID:	2580
Name:	MicrosoftEdgeUpdateSetup.exe
Path:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Commandline:	"C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe"
Size:	1634896
MD5:	E0596BFB4CE5773932F2C2047E2DE77B
Time:	02:37:00
Date:	22/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	1646592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Roaming\RuntimeBrokers.exe

"C:\Users\user\AppData\Roaming\RuntimeBrokers.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4460
Target ID:	1
Parent PID:	6568
Name:	RuntimeBrokers.exe
Path:	C:\Users\user\AppData\Roaming\RuntimeBrokers.exe
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBrokers.exe"
Size:	1770080
MD5:	70E1B494A6097723A9B8BBE2CF41CF0A
Time:	02:37:13
Date:	22/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1789952
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://154.82.68.34:16653/common.dll

154.82.68.34

http://154.82.68.34:16653/RuntimeBrokers.exe

154.82.68.34

http://154.82.68.34:16653/common.dllS

unknown

http://154.82.68.34:16653/common.dllr

unknown

http://154.82.68.34:16653/RuntimeBrokers.exeC:

unknown

http://154.82.68.34:16653/RuntimeBrokers.exe2j

unknown

http://lol.qq.com/client/client.shtml?uin=%u&area=%u&timestamp=%u&Signature=%s

unknown

http://154.82.68.34/32

unknown

http://154.82.68.34:16653/RuntimeBrokers.exea

unknown

http://154.82.68.34:16653/common.dllFt

unknown

http://154.82.68.34:16653/RuntimeBrokers.exeg

unknown

http://154.82.68.34:16653/common.dlldllLMEMP

unknown

http://154.82.68.34/

unknown

http://154.82.68.34:16653/common.dllAppData

unknown

http://154.82.68.34:16653/common.dlloC:

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

http://154.82.68.34:16653/RuntimeBrokers.exe)Ce

unknown

http://154.82.68.34:16653/common.dllSSC:

unknown

There are 8 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

154.82.68.34

unknown

Seychelles

Details

IP:	154.82.68.34
TargetID:	0
Current Path:	C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	32708
ASN name:	ROOTNETWORKSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

134.122.134.93

unknown

United States

Details

IP:	134.122.134.93
TargetID:	1
Current Path:	C:\Users\user\AppData\Roaming\RuntimeBrokers.exe
Country:	United States
Countrycode:	USA
ASN number:	64050
ASN name:	BCPL-SGBGPNETGlobalASNSG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

2C66000

heap

page read and write

61BF000

stack

page read and write

C00000

heap

page read and write

6C422000

unkown

page read and write

6C424000

unkown

page write copy

2C18000

heap

page read and write

C10000

heap

page read and write

2C3A000

heap

page read and write

307F000

stack

page read and write

2F2E000

stack

page read and write

307E000

stack

page read and write

4A9C000

stack

page read and write

4940000

heap

page read and write

161000

unkown

page execute read

62FF000

stack

page read and write

2C4F000

heap

page read and write

2D0E000

stack

page read and write

4AF0000

heap

page read and write

2C18000

heap

page read and write

401000

unkown

page execute read

6C0A1000

unkown

page execute read

577000

unkown

page read and write

6C440000

unkown

page readonly

2C6A000

heap

page read and write

2C1C000

heap

page read and write

2C3F000

heap

page read and write

67CC000

stack

page read and write

6C421000

unkown

page write copy

A25000

direct allocation

page readonly

58A000

unkown

page readonly

335F000

stack

page read and write

2BB0000

heap

page read and write

645F000

stack

page read and write

161000

unkown

page execute read

2C3A000

heap

page read and write

2C3F000

heap

page read and write

302E000

stack

page read and write

89D000

stack

page read and write

5F7E000

stack

page read and write

578000

unkown

page write copy

52E000

unkown

page readonly

970000

heap

page read and write

493F000

stack

page read and write

2C1C000

heap

page read and write

6C33D000

unkown

page readonly

652C000

stack

page read and write

C3D000

heap

page read and write

17C000

unkown

page readonly

2C33000

heap

page read and write

C1A000

heap

page read and write

2D4E000

stack

page read and write

186000

unkown

page write copy

1000F000

direct allocation

page readonly

4ADB000

stack

page read and write

60BE000

stack

page read and write

10000000

direct allocation

page read and write

9EF000

stack

page read and write

10013000

direct allocation

page readonly

2C51000

heap

page read and write

58A000

unkown

page readonly

A11000

direct allocation

page execute read

189000

unkown

page readonly

2D50000

heap

page read and write

2C33000

heap

page read and write

577000

unkown

page write copy

635E000

stack

page read and write

2C3F000

heap

page read and write

2BE6000

heap

page read and write

A2F000

direct allocation

page execute read

A29000

direct allocation

page read and write

189000

unkown

page readonly

662F000

stack

page read and write

100000

heap

page read and write

1E0000

heap

page read and write

401000

unkown

page execute read

2C64000

heap

page read and write

2BE3000

heap

page read and write

A95000

heap

page read and write

2D55000

heap

page read and write

6C0A0000

unkown

page readonly

2CC0000

heap

page read and write

68CC000

stack

page read and write

A7F000

stack

page read and write

2BBE000

heap

page read and write

3090000

heap

page read and write

52E000

unkown

page readonly

2BE6000

heap

page read and write

499C000

stack

page read and write

A31000

direct allocation

page readonly

2C3F000

heap

page read and write

186000

unkown

page read and write

160000

unkown

page readonly

B30000

heap

page read and write

2C3C000

heap

page read and write

2C39000

heap

page read and write

2BBA000

heap

page read and write

C1E000

heap

page read and write

17C000

unkown

page readonly

2CB0000

heap

page readonly

6C438000

unkown

page read and write

990000

direct allocation

page execute and read and write

61FE000

stack

page read and write

A10000

direct allocation

page read and write

2C33000

heap

page read and write

10001000

direct allocation

page execute read

A90000

heap

page read and write

400000

unkown

page readonly

2B39000

stack

page read and write

10012000

direct allocation

page read and write

5F2E000

stack

page read and write

1780000

heap

page read and write

2BA0000

heap

page read and write

607F000

stack

page read and write

C47000

heap

page read and write

160000

unkown

page readonly

400000

unkown

page readonly

9F0000

direct allocation

page execute and read and write

2C18000

heap

page read and write

9C000

stack

page read and write

2A3B000

stack

page read and write

There are 110 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MicrosoftEdgeUpdateSetup.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMicrosoftEdgeUpdateSetup.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
MicrosoftEdgeUpdateSetup.exe