Analysis
-
max time kernel
59s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
22-10-2022 00:43
General
-
Target
removeedge.bat
-
Size
2KB
-
MD5
5f51dfbc9b44b2d5f0d55699686a891b
-
SHA1
acfd75219ff08f9e96c45d2022ae4d9a59e89d77
-
SHA256
a910f47d7c5ce1f4dc1b09dbb3bcdd878d97acc2f3755e25ffa6ae64cc8771d7
-
SHA512
1b2d1f7879b02c1aa23795f9bbee1b2b60f3730e016ada76c39d3d5df6423d584040bf8adb408928a4e801ceb540dbc6e308d6e0f50e69e829eed45dec44d557
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Possible privilege escalation attempt 10 IoCs
-
Modifies file permissions 1 TTPs 10 IoCs
-
Kills process with taskkill 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\removeedge.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\Edge"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\Edge" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeUpdate"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeUpdate" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeCore"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeCore" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeWebView"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeWebView" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"2⤵
-
C:\Windows\regedit.exeregedit /s RemoveEdge.reg2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\RemoveEdge.regFilesize
263B
MD54c8a079090c727bc831413155239b6a2
SHA12d595495c067b1784a427d73bc6658167e13a2bb
SHA2567cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108
SHA512a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4
-
memory/344-134-0x0000000000000000-mapping.dmp
-
memory/512-144-0x0000000000000000-mapping.dmp
-
memory/608-142-0x0000000000000000-mapping.dmp
-
memory/860-136-0x0000000000000000-mapping.dmp
-
memory/956-140-0x0000000000000000-mapping.dmp
-
memory/1288-145-0x0000000000000000-mapping.dmp
-
memory/1424-137-0x0000000000000000-mapping.dmp
-
memory/1644-138-0x0000000000000000-mapping.dmp
-
memory/1664-141-0x0000000000000000-mapping.dmp
-
memory/2100-139-0x0000000000000000-mapping.dmp
-
memory/2172-155-0x0000000000000000-mapping.dmp
-
memory/2308-135-0x0000000000000000-mapping.dmp
-
memory/2344-158-0x0000000000000000-mapping.dmp
-
memory/2440-149-0x0000000000000000-mapping.dmp
-
memory/2504-159-0x0000000000000000-mapping.dmp
-
memory/2744-161-0x0000000000000000-mapping.dmp
-
memory/2808-150-0x0000000000000000-mapping.dmp
-
memory/2904-133-0x0000000000000000-mapping.dmp
-
memory/2976-132-0x0000000000000000-mapping.dmp
-
memory/3208-154-0x0000000000000000-mapping.dmp
-
memory/3508-153-0x0000000000000000-mapping.dmp
-
memory/3616-152-0x0000000000000000-mapping.dmp
-
memory/3652-143-0x0000000000000000-mapping.dmp
-
memory/4064-162-0x0000000000000000-mapping.dmp
-
memory/4076-157-0x0000000000000000-mapping.dmp
-
memory/4364-146-0x0000000000000000-mapping.dmp
-
memory/4552-148-0x0000000000000000-mapping.dmp
-
memory/4556-151-0x0000000000000000-mapping.dmp
-
memory/4688-160-0x0000000000000000-mapping.dmp
-
memory/4864-147-0x0000000000000000-mapping.dmp