analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

downloadEdge.aspx

Full analysis: https://app.any.run/tasks/eceff223-c6c4-4470-9346-d25b87410f4e
Verdict: Malicious activity
Analysis date: November 08, 2019, 16:13:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

226991C242389EB4D93245C573318CDF

SHA1:

2788629F1415F7A99E63D4745CAF5DBE9D78FCA2

SHA256:

323848F1AF8D3F1AC4B90F10E73FD231A3E5A2FB71453429B96A968A8AAAB4F5

SSDEEP:

49152:O62IOLwwuYrMJY/EqLZemfbIVk45+NT5aL:O65OUwuYACDLH4L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MicrosoftEdgeUpdate.exe (PID: 2576)
      • MicrosoftEdgeUpdate.exe (PID: 3788)
      • MicrosoftEdgeUpdate.exe (PID: 3400)
      • MicrosoftEdgeUpdate.exe (PID: 956)
      • MicrosoftEdgeUpdate.exe (PID: 3832)

    • Loads the Task Scheduler COM API

      • MicrosoftEdgeUpdate.exe (PID: 2576)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 2576)

    • Loads dropped or rewritten executable

      • MicrosoftEdgeUpdate.exe (PID: 3788)
      • MicrosoftEdgeUpdate.exe (PID: 2576)
      • MicrosoftEdgeUpdate.exe (PID: 3400)
      • MicrosoftEdgeUpdate.exe (PID: 3832)
      • MicrosoftEdgeUpdate.exe (PID: 956)

  • SUSPICIOUS

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2576)

    • Creates COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 3788)

    • Executable content was dropped or overwritten

      • downloadEdge.aspx.exe (PID: 2744)
      • MicrosoftEdgeUpdate.exe (PID: 2576)

    • Executed via COM

      • MicrosoftEdgeUpdate.exe (PID: 956)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

LanguageId: en
UpstreamVersion: 1.3.99.0
ProductVersion: 1.3.115.45
ProductName: Microsoft Edge Update
OriginalFileName: MicrosoftEdgeUpdateSetup.exe
LegalCopyright: Copyright Microsoft Corporation
InternalName: Microsoft Edge Update Setup
FileVersion: 1.3.115.45
FileDescription: Microsoft Edge Update Setup
CompanyName: Microsoft Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.3.115.45
FileVersionNumber: 1.3.115.45
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5396
UninitializedDataSize: -
InitializedDataSize: 1657856
CodeSize: 94720
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2019:11:03 08:30:16+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Nov-2019 07:30:16
Detected languages:
  • Afrikaans - South Africa
  • Albanian - Albania
  • Arabic - Saudi Arabia
  • Armenian - Armenia
  • Azeri - Azerbaijan (Latin)
  • Basque - Spain
  • Belarusian - Belarus
  • Bulgarian - Bulgaria
  • Catalan - Spain
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
  • Farsi - Iran
  • Finnish - Finland
  • French - Canada
  • French - France
  • Galician - Spain
  • Georgian - Georgia
  • German - Germany
  • Greek - Greece
  • Gujarati - India
  • Hebrew - Israel
  • Hindi - India
  • Hungarian - Hungary
  • Icelandic - Iceland
  • Indonesian - Indonesia (Bahasa)
  • Italian - Italy
  • Japanese - Japan
  • Kannada - India (Kannada script)
  • Kazakh - Kazakstan
  • Konkani - India
  • Korean - Korea
  • Kyrgyz - Kyrgyzstan
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Malay - Malaysia
  • Marathi - India
  • Mongolian (Cyrillic) - Mongolia
  • Norwegian - Norway (Bokmal)
  • Norwegian - Norway (Nynorsk)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Punjabi - India (Gurmukhi script)
  • Romanian - Romania
  • Russian - Russia
  • Serbian - Serbia (Latin)
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Mexico
  • Spanish - Spain (International sort)
  • Swahili - Kenya
  • Swedish - Sweden
  • Tamil - India
  • Tatar - Tatarstan
  • Telugu - India (Telugu script)
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
  • Urdu - Pakistan
  • Uzbek - Uzbekistan (Latin)
  • Vietnamese - Viet Nam
Debug artifacts:
  • mi_exe_stub.pdb
CompanyName: Microsoft Corporation
FileDescription: Microsoft Edge Update Setup
FileVersion: 1.3.115.45
InternalName: Microsoft Edge Update Setup
LegalCopyright: Copyright Microsoft Corporation
OriginalFilename: MicrosoftEdgeUpdateSetup.exe
ProductName: Microsoft Edge Update
ProductVersion: 1.3.115.45
UpstreamVersion: 1.3.99.0
LanguageId: en

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Nov-2019 07:30:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00017001
0x00017200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.66417
.rdata
0x00019000
0x000073F0
0x00007400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.27282
.data
0x00021000
0x00001400
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.24299
.rsrc
0x00023000
0x0018B874
0x0018BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98461
.reloc
0x001AF000
0x0000124C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.28351

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20417
1166
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
4.13669
1384
Latin 1 / Western European
English - United States
RT_ICON
3
3.91985
744
Latin 1 / Western European
English - United States
RT_ICON
4
4.83772
2216
Latin 1 / Western European
English - United States
RT_ICON
5
3.68656
1640
Latin 1 / Western European
English - United States
RT_ICON
6
4.50268
3752
Latin 1 / Western European
English - United States
RT_ICON
101
2.86669
90
Latin 1 / Western European
English - United States
RT_GROUP_ICON
102
7.99987
1572020
Latin 1 / Western European
UNKNOWN
B
1223
3.73035
380
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start downloadedge.aspx.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
2744"C:\Users\admin\Desktop\downloadEdge.aspx.exe" C:\Users\admin\Desktop\downloadEdge.aspx.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.115.45
2576C:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeUpdate.exe /installsource taggedmi /install "appguid={65C35B14-6C1D-4122-AC46-7148CC9D6497}&appname=Microsoft%20Edge%20Canary&needsadmin=false&usagestats=0&iid={aa6d67c9-5efb-5f9c-9f8e-8ee551de80ff}&lang=en"C:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeUpdate.exe
downloadEdge.aspx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.115.45
3788"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.115.45
3400"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xMTUuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xMTUuNDUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Q0NGRDVBMEQtNzg0RC00OTUxLUEwMEItRkY5NTVEQTlFQTNGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezFENTk5QUZGLUU3RTMtNEU3Ri1CRjhBLTI3ODRGN0Y5NTU4OX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMyIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4ODYiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjExNS40NSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9IntBQTZENjdDOS01RUZCLTVGOUMtOUY4RS04RUU1NTFERTgwRkZ9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjExNzIiLz48L2FwcD48L3JlcXVlc3Q-C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.115.45
3832"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={65C35B14-6C1D-4122-AC46-7148CC9D6497}&appname=Microsoft%20Edge%20Canary&needsadmin=false&usagestats=0&iid={aa6d67c9-5efb-5f9c-9f8e-8ee551de80ff}&lang=en" /installsource taggedmi /sessionid "{CCFD5A0D-784D-4951-A00B-FF955DA9EA3F}"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.115.45
956"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.115.45
Total events
8 858
Read events
453
Write events
0
Delete events
0

Modification events

No data
Executable files
220
Suspicious files
0
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\psuser.dllexecutable
MD5:A185B9B02A951153276EFC185F376836
SHA256:F17B889612F2FFA6B962D8CCEC83346F18797BB76D6E4C7288CD2C005E0A9114
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeUpdateOnDemand.exeexecutable
MD5:ED4EED79DE59E7D31DBCF75A2365D1F4
SHA256:D6139E087E9B93D45C5682D79937ECBD0117B6A45304CC0F2E92A5768C80CA58
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:CBB9FB68F7A55AB344FE58014FBEDEDC
SHA256:3ADEF3AE99E6552A44689C53E6957AC133EE27B67795BCE8ADC68EED9892AB13
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\msedgeupdateres_ar.dllexecutable
MD5:698C94DAFC56FE455D5A10C38D33C9B0
SHA256:9C4E876E891B78C8B9CC1121482BD8A95198944776106FAD0F53E891C1102F55
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\psmachine.dllexecutable
MD5:0E3A7A0A96B4C4DA2D54A7A4DCA12E36
SHA256:B2CDD54B98BD6207F7BAA21CA503BC5401E90EC459D611AD6D3D0F1E2343320F
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\msedgeupdateres_cs.dllexecutable
MD5:A7B771D79F7372E76EE695FF5B09EBC5
SHA256:186758923D33EB9696F09DF8C4190480621735D31EF63DDB42666BACAB75864A
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeComRegisterShellARM64.exeexecutable
MD5:EC313EFCD0D85BDFD144299CEBDABB70
SHA256:79933D2151938E995559B067AAC908EF21493EF75DD5F7499D0847E5B992D5F3
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\msedgeupdate.dllexecutable
MD5:5F51BFD4F65774364435C7DC93FFF814
SHA256:E09A96863D6B05FCF55AAAB5B178AEB31A518B07BE9B63E1972BB6452F8BDE25
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\psmachine_64.dllexecutable
MD5:F14F58C344FC0390F108FCFEF80ECF56
SHA256:E4AF450F1DFFB4C0ACC84EB25BABF20E6BC868EA65E658DD2AD3A7E1115569F8
2744downloadEdge.aspx.exeC:\Users\admin\AppData\Local\Temp\EUA37E.tmp\MicrosoftEdgeUpdateBroker.exeexecutable
MD5:FF57266F1308B553ED409616D3B40CBF
SHA256:709745D6F22DF1845C7B11A7710CEE8EB52725FC51AF2A300199A65793CA4C58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
205.185.216.42:80
msedge.f.tlu.dl.delivery.mp.microsoft.com
Highwinds Network Group, Inc.
US
whitelisted
3400
MicrosoftEdgeUpdate.exe
52.114.74.45:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown
956
MicrosoftEdgeUpdate.exe
40.67.252.175:443
msedge.api.cdp.microsoft.com
Microsoft Corporation
IE
unknown

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 52.114.74.45
whitelisted
msedge.api.cdp.microsoft.com
  • 40.67.252.175
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
downloadEdge.aspx