File name:

MicrosoftEdgeCP.exe

Full analysis: https://app.any.run/tasks/049ddec6-58ac-4779-a758-8e7e86c6afa4
Verdict: Malicious activity
Analysis date: July 08, 2024, 11:19:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
revengerat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9DF693D7D1BDDAC2060135819DCAC0A1

SHA1:

1F5C21459C8A5F2DE0582B39F18B001EF012D4CF

SHA256:

F07251841BC9232BCDE60B32CB6620348B0AF85BF95AB29205566745E2AF4108

SSDEEP:

49152:56WNkebmEFhOHGokuh68QqyxBXSCXPGms1lw3F0YmKDSd0ujsE58Vq84wE8hnHk9:M4kEm2Oguh68QqoBXSCXPGms1lw3F0Yc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Create files in the Startup directory

      • MicrosoftEdgeCP.exe (PID: 3400)

    • REVENGERAT has been detected (YARA)

      • RegAsm.exe (PID: 3332)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Connects to unusual port

      • RegAsm.exe (PID: 3332)

  • INFO

    • Reads the machine GUID from the registry

      • MicrosoftEdgeCP.exe (PID: 3400)
      • RegAsm.exe (PID: 3332)

    • Checks supported languages

      • RegAsm.exe (PID: 3332)
      • MicrosoftEdgeCP.exe (PID: 3400)

    • Reads the computer name

      • RegAsm.exe (PID: 3332)
      • MicrosoftEdgeCP.exe (PID: 3400)

    • Creates files or folders in the user directory

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Reads mouse settings

      • MicrosoftEdgeCP.exe (PID: 3400)

    • Reads Environment values

      • RegAsm.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RevengeRat

(PID) Process(3332) RegAsm.exe
C2 (1)marzorevenger.duckdns.org
Ports (1)4230
BotnetMarzo26
Options
MutexRV_MUTEX-PiGGjjtnxDpn
Splitter*-]NK[-*
KeyRevenge-RAT
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:15 13:41:58+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 49152
InitializedDataSize: 339456
UninitializedDataSize: -
EntryPoint: 0x2800a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Internet Explorer
OriginalFileName: IEXPLORE.EXE.MUI
CompanyName: Microsoft Corporation
FileVersion: ...
LegalCopyright: © Microsoft Corporation. Todos los derechos reservados.
ProductName: Internet Explorer
ProductVersion: ...
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start microsoftedgecp.exe #REVENGERAT regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
MicrosoftEdgeCP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
RevengeRat
(PID) Process(3332) RegAsm.exe
C2 (1)marzorevenger.duckdns.org
Ports (1)4230
BotnetMarzo26
Options
MutexRV_MUTEX-PiGGjjtnxDpn
Splitter*-]NK[-*
KeyRevenge-RAT
3400"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeCP.exe" C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeCP.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
...
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgecp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
Total events
691
Read events
691
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400MicrosoftEdgeCP.exeC:\Users\admin\AppData\Roaming\at\AudioHandlers.vbstext
MD5:5DC739721EE149250F350789982A45A7
SHA256:D71D4C789B61109A93C8FDBC766FC4F5965D7A8AE8985DA38216B6B2E4314A64
3400MicrosoftEdgeCP.exeC:\Users\admin\AppData\Roaming\at\MicrosoftEdgeCP.exeexecutable
MD5:D23E1D8656C78B7A66B4612E0FDF1044
SHA256:065772CCD2BE358711D02F1B97AB7B5C5776735EA86C7D5082DC3B63913DE7C9
3400MicrosoftEdgeCP.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.urltext
MD5:C3980403F528C8ED9DD1479439EEA951
SHA256:2CC1E7EA2DA97B01A70FA5158622DF1286C747B61B37073953E97E736006DA1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.53.40.65:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
3332
RegAsm.exe
186.85.86.137:4230
marzorevenger.duckdns.org
Telmex Colombia S.A.
CO
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.53.40.65:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
marzorevenger.duckdns.org
  • 186.85.86.137
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.53.40.65
  • 23.53.40.74
  • 23.53.40.11
  • 23.53.40.48
  • 23.53.40.32
  • 23.53.40.56
  • 23.53.40.18
  • 23.53.40.58
  • 23.53.40.40
  • 23.53.40.73
  • 23.53.40.83
  • 23.53.40.35
  • 23.53.40.64
  • 23.53.40.67
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MicrosoftEdgeCP.exe