| File name: | BraveBrowserSetup.x64.exe |
| Full analysis: | https://app.any.run/tasks/b3874181-1737-4f1e-a1f3-9ba51efc527f |
| Verdict: | Malicious activity |
| Analysis date: | October 04, 2024, 12:24:02 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 068E09E6BE13F5FC296DF587F89AEDB0 |
| SHA1: | 29B1DA744042381ACE0BBFE1F5A815E87BB60921 |
| SHA256: | 370C88A1BE8B6CE495D883F7DE10CEC9D8E0FDB62438DFE9966B9F45BB166062 |
| SSDEEP: | 49152:DtG8yLTI+7trcdZ6jqFa0EKgVFgrbAVKXXV1fykKRB51+WLTW1UmDMrlilYpWaDJ:Dl8I+prQ3a00urAeKk1O8UmDeCslDeBy |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- BraveUpdate.exe (PID: 5072)
- BraveUpdate.exe (PID: 4840)
- BraveUpdate.exe (PID: 5600)
Executable content was dropped or overwritten
- BraveUpdate.exe (PID: 4840)
- BraveBrowserSetup.x64.exe (PID: 4180)
- BraveUpdateSetup.exe (PID: 5276)
Starts itself from another location
- BraveUpdate.exe (PID: 4840)
Disables SEHOP
- BraveUpdate.exe (PID: 4840)
Creates/Modifies COM task schedule object
- BraveUpdate.exe (PID: 1972)
- BraveUpdateComRegisterShell64.exe (PID: 4652)
- BraveUpdateComRegisterShell64.exe (PID: 2708)
- BraveUpdateComRegisterShell64.exe (PID: 5116)
Executes as Windows Service
- BraveUpdate.exe (PID: 2132)
INFO
Create files in a temporary directory
- BraveBrowserSetup.x64.exe (PID: 4180)
Checks supported languages
- BraveUpdate.exe (PID: 5072)
- BraveBrowserSetup.x64.exe (PID: 4180)
- BraveUpdateSetup.exe (PID: 5276)
- BraveUpdate.exe (PID: 4840)
- BraveUpdateComRegisterShell64.exe (PID: 2708)
- BraveUpdateComRegisterShell64.exe (PID: 4652)
- BraveUpdate.exe (PID: 1172)
- BraveUpdate.exe (PID: 1972)
- BraveUpdate.exe (PID: 5600)
- BraveUpdate.exe (PID: 6056)
- BraveUpdateComRegisterShell64.exe (PID: 5116)
- BraveUpdate.exe (PID: 2132)
Creates files in the program directory
- BraveUpdate.exe (PID: 4840)
- BraveUpdate.exe (PID: 2132)
Reads the computer name
- BraveUpdate.exe (PID: 1172)
- BraveUpdate.exe (PID: 5072)
- BraveUpdate.exe (PID: 4840)
- BraveUpdateComRegisterShell64.exe (PID: 2708)
- BraveUpdate.exe (PID: 1972)
- BraveUpdateComRegisterShell64.exe (PID: 5116)
- BraveUpdateComRegisterShell64.exe (PID: 4652)
- BraveUpdate.exe (PID: 6056)
- BraveUpdate.exe (PID: 5600)
- BraveUpdate.exe (PID: 2132)
Process checks computer location settings
- BraveUpdate.exe (PID: 4840)
- BraveUpdate.exe (PID: 5072)
Checks proxy server information
- BraveUpdate.exe (PID: 6056)
- BraveUpdate.exe (PID: 5600)
Reads the software policy settings
- BraveUpdate.exe (PID: 2132)
- BraveUpdate.exe (PID: 6056)
Reads the machine GUID from the registry
- BraveUpdate.exe (PID: 6056)
- BraveUpdate.exe (PID: 2132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:09:25 06:08:18+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.41 |
| CodeSize: | 105984 |
| InitializedDataSize: | 1150976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x6f24 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.361.151 |
| ProductVersionNumber: | 1.3.361.151 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Private build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | BraveSoftware Inc. |
| FileDescription: | BraveSoftware Update Setup |
| FileVersion: | 1.3.361.151 |
| InternalName: | BraveSoftware Update Setup |
| OriginalFileName: | BraveUpdateSetup.exe |
| ProductName: | BraveSoftware Update |
| ProductVersion: | 1.3.361.151 |
| LanguageId: | en |
| PrivateBuild: | - |
Total processes
128
Monitored processes
12
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1172 | "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc | C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe | — | BraveUpdate.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 1972 | "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver | C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe | — | BraveUpdate.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 2132 | "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc | C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe | services.exe | ||||||||||||
User: SYSTEM Company: BraveSoftware Inc. Integrity Level: SYSTEM Description: BraveSoftware Update Version: 1.3.361.151 Modules
| |||||||||||||||
| 2708 | "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" | C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe | — | BraveUpdate.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 4180 | "C:\Users\admin\Desktop\BraveBrowserSetup.x64.exe" | C:\Users\admin\Desktop\BraveBrowserSetup.x64.exe | explorer.exe | ||||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: MEDIUM Description: BraveSoftware Update Setup Version: 1.3.361.151 Modules
| |||||||||||||||
| 4652 | "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" | C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe | — | BraveUpdate.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 4840 | C:\WINDOWS\SystemTemp\GUM62CF.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installelevated | C:\Windows\SystemTemp\GUM62CF.tmp\BraveUpdate.exe | BraveUpdateSetup.exe | ||||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Version: 1.3.361.151 Modules
| |||||||||||||||
| 5072 | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdate.exe | — | BraveBrowserSetup.x64.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: MEDIUM Description: BraveSoftware Update Version: 1.3.361.151 Modules
| |||||||||||||||
| 5116 | "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" | C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe | — | BraveUpdate.exe | |||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Exit code: 0 Version: 1.3.361.151 Modules
| |||||||||||||||
| 5276 | "C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdateSetup.exe" /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installelevated /nomitag | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdateSetup.exe | BraveUpdate.exe | ||||||||||||
User: admin Company: BraveSoftware Inc. Integrity Level: HIGH Description: BraveSoftware Update Setup Version: 1.3.361.151 Modules
| |||||||||||||||
Total events
12 210
Read events
8 320
Write events
3 825
Delete events
65
Modification events
| (PID) Process: | (4180) BraveBrowserSetup.x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo |
| Operation: | write | Name: | StubInstallerPath |
Value: C:\Users\admin\Desktop\BraveBrowserSetup.x64.exe | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update |
| Operation: | write | Name: | path |
Value: C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update |
| Operation: | write | Name: | UninstallCmdLine |
Value: "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /uninstall | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019} |
| Operation: | write | Name: | pv |
Value: 1.3.361.151 | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019} |
| Operation: | write | Name: | name |
Value: Brave Update | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\ClientState\{B131C935-9BE6-41DA-9599-1F776BEB8019} |
| Operation: | write | Name: | pv |
Value: 1.3.361.151 | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe |
| Operation: | write | Name: | DisableExceptionChainValidation |
Value: 0 | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update |
| Operation: | write | Name: | brave_task_name_c |
Value: BraveSoftwareUpdateTaskMachineCore{85E0F8D2-6E46-4531-9BFC-0F14DE825325} | |||
| (PID) Process: | (4840) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update |
| Operation: | write | Name: | brave_task_name_ua |
Value: BraveSoftwareUpdateTaskMachineUA{F948A2B5-33D1-4ABE-A6BF-B132D74CF8E0} | |||
| (PID) Process: | (1172) BraveUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update |
| Operation: | delete value | Name: | uid |
Value: | |||
Executable files
216
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\psmachine_arm64.dll | executable | |
MD5:C2229BAE75222C94A457E0D9ED88BC1C | SHA256:A126B9DF7C68D325E54CB94E64743E33D50ED354D217EE8604244CA2D8E314CB | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdateBroker.exe | executable | |
MD5:9BB7B8BB7CF6A96AF5E819BAD6E80A9D | SHA256:8BBB104638AF6DF01194E0BEC0B20CF5AA17CBEB82B2DBE46370340EF393BD91 | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\goopdate.dll | executable | |
MD5:C20353018ACD605661691186BB313A69 | SHA256:137A22656D8EA111C43C6BE8A3BC938ACE7B566BDEE0DE9C9D40467403E9ADFC | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\goopdateres_ar.dll | executable | |
MD5:1438A59EC6867661DAAA73DFC9100CD3 | SHA256:E1C702C5ADD5EF1C6120753322F5B46C776D5EF5DE605F1F232D421226FE7CAB | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\psmachine.dll | executable | |
MD5:744B1E42C1815B9FEF94B8008A93C0DC | SHA256:1E2B2C29C44699A44C0E8D42ABA6C89196BA5A9D1E5FDAA8F508C629415F4995 | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdateComRegisterShellArm64.exe | executable | |
MD5:F8047C85B81DC8E773FE17FA2CA0D2BF | SHA256:A6261EF9CCA7D4392DF3031235EFB76E60CB99CFD332E0E9D723FC769827566E | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\psmachine_64.dll | executable | |
MD5:BD787D94EA7FB6C511247355E33E0A07 | SHA256:112D0E76263AABF9FCAAD8DFF2E4B03839BBE1124CD64AA27932C784BA17F511 | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveCrashHandler64.exe | executable | |
MD5:E4B2DADFC952E6C05754906CB09CB9E7 | SHA256:3713BE6830D065FC6DEC312E4A536BCD52D254E0A0837C67285F98DFA0E9073F | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\BraveUpdateCore.exe | executable | |
MD5:524FF11C8062E51B61310E0017605325 | SHA256:2A4AE9C22F92E01D38C6177982FBB65F2EC422E02B65C7178F1F973E58D2C545 | |||
| 4180 | BraveBrowserSetup.x64.exe | C:\Users\admin\AppData\Local\Temp\GUM5CF2.tmp\psuser_arm64.dll | executable | |
MD5:738BA24E660391A0C526239B37FEC4C7 | SHA256:563A1ADCFBCE88A04A7934BB0EBF9FA7C8FCB50D1512B87300BAB3C39A889B8A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
28
DNS requests
7
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 3.161.82.75:443 | https://updates-cdn.bravesoftware.com/build/Brave-Release/release/win/129.1.70.123/x64/brave_installer-x64.exe | unknown | — | — | — |
— | — | POST | 200 | 13.32.121.47:443 | https://updates.bravesoftware.com/service/update2?cup2key=2:nnjjpxVLxa64mWgKFUDnUOoeD2E52uP19Nk5YwP_q_k&cup2hreq=6c933c090d67efbf04d74a05cf1a6327b4013209f5a63385904fd0439bd88763 | unknown | xml | 6.15 Kb | unknown |
— | — | POST | 200 | 13.32.121.47:443 | https://updates.bravesoftware.com/service/update2 | unknown | xml | 250 b | unknown |
— | — | GET | — | 3.161.82.75:443 | https://updates-cdn.bravesoftware.com/build/Brave-Release/release/win/129.1.70.123/x64/brave_installer-x64.exe | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6588 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6056 | BraveUpdate.exe | 13.32.121.124:443 | updates.bravesoftware.com | AMAZON-02 | US | shared |
2132 | BraveUpdate.exe | 13.32.121.124:443 | updates.bravesoftware.com | AMAZON-02 | US | shared |
6588 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5208 | svchost.exe | 3.161.82.75:443 | updates-cdn.bravesoftware.com | — | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
updates.bravesoftware.com |
| shared |
dl.brave.com |
| whitelisted |
updates-cdn.bravesoftware.com |
| whitelisted |
Threats
3 ETPRO signatures available at the full report