Analysis
-
max time kernel
59s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 00:43
Static task
static1
Behavioral task
behavioral1
Sample
removeedge.bat
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
removeedge.bat
Resource
win10v2004-20220812-en
General
-
Target
removeedge.bat
-
Size
2KB
-
MD5
5f51dfbc9b44b2d5f0d55699686a891b
-
SHA1
acfd75219ff08f9e96c45d2022ae4d9a59e89d77
-
SHA256
a910f47d7c5ce1f4dc1b09dbb3bcdd878d97acc2f3755e25ffa6ae64cc8771d7
-
SHA512
1b2d1f7879b02c1aa23795f9bbee1b2b60f3730e016ada76c39d3d5df6423d584040bf8adb408928a4e801ceb540dbc6e308d6e0f50e69e829eed45dec44d557
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} regedit.exe -
Possible privilege escalation attempt 10 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 860 icacls.exe 2100 takeown.exe 512 icacls.exe 4864 takeown.exe 3616 icacls.exe 2308 takeown.exe 956 icacls.exe 3652 takeown.exe 4552 icacls.exe 4556 takeown.exe -
Modifies file permissions 1 TTPs 10 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2100 takeown.exe 956 icacls.exe 512 icacls.exe 4864 takeown.exe 4552 icacls.exe 2308 takeown.exe 860 icacls.exe 3652 takeown.exe 4556 takeown.exe 3616 icacls.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2976 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 2172 regedit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetakeown.exedescription pid process Token: SeDebugPrivilege 2976 taskkill.exe Token: SeTakeOwnershipPrivilege 2308 takeown.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
cmd.exedescription pid process target process PID 4620 wrote to memory of 2976 4620 cmd.exe taskkill.exe PID 4620 wrote to memory of 2976 4620 cmd.exe taskkill.exe PID 4620 wrote to memory of 2904 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2904 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 344 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 344 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2308 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 2308 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 860 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 860 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 1424 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 1424 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 1644 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 1644 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2100 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 2100 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 956 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 956 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 1664 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 1664 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 608 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 608 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 3652 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 3652 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 512 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 512 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 1288 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 1288 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4364 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4364 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4864 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 4864 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 4552 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 4552 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 2440 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2440 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2808 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2808 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4556 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 4556 4620 cmd.exe takeown.exe PID 4620 wrote to memory of 3616 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 3616 4620 cmd.exe icacls.exe PID 4620 wrote to memory of 3508 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 3508 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 3208 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 3208 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2172 4620 cmd.exe regedit.exe PID 4620 wrote to memory of 2172 4620 cmd.exe regedit.exe PID 4620 wrote to memory of 4076 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4076 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2344 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2344 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2504 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2504 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4688 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4688 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2744 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 2744 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4064 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4064 4620 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\removeedge.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\Edge"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\Edge" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeUpdate"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeUpdate" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeCore"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeCore" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""2⤵
-
C:\Windows\system32\takeown.exetakeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\EdgeWebView"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeWebView" /grant administrators:f /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"2⤵
-
C:\Windows\regedit.exeregedit /s RemoveEdge.reg2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\RemoveEdge.regFilesize
263B
MD54c8a079090c727bc831413155239b6a2
SHA12d595495c067b1784a427d73bc6658167e13a2bb
SHA2567cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108
SHA512a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4
-
memory/344-134-0x0000000000000000-mapping.dmp
-
memory/512-144-0x0000000000000000-mapping.dmp
-
memory/608-142-0x0000000000000000-mapping.dmp
-
memory/860-136-0x0000000000000000-mapping.dmp
-
memory/956-140-0x0000000000000000-mapping.dmp
-
memory/1288-145-0x0000000000000000-mapping.dmp
-
memory/1424-137-0x0000000000000000-mapping.dmp
-
memory/1644-138-0x0000000000000000-mapping.dmp
-
memory/1664-141-0x0000000000000000-mapping.dmp
-
memory/2100-139-0x0000000000000000-mapping.dmp
-
memory/2172-155-0x0000000000000000-mapping.dmp
-
memory/2308-135-0x0000000000000000-mapping.dmp
-
memory/2344-158-0x0000000000000000-mapping.dmp
-
memory/2440-149-0x0000000000000000-mapping.dmp
-
memory/2504-159-0x0000000000000000-mapping.dmp
-
memory/2744-161-0x0000000000000000-mapping.dmp
-
memory/2808-150-0x0000000000000000-mapping.dmp
-
memory/2904-133-0x0000000000000000-mapping.dmp
-
memory/2976-132-0x0000000000000000-mapping.dmp
-
memory/3208-154-0x0000000000000000-mapping.dmp
-
memory/3508-153-0x0000000000000000-mapping.dmp
-
memory/3616-152-0x0000000000000000-mapping.dmp
-
memory/3652-143-0x0000000000000000-mapping.dmp
-
memory/4064-162-0x0000000000000000-mapping.dmp
-
memory/4076-157-0x0000000000000000-mapping.dmp
-
memory/4364-146-0x0000000000000000-mapping.dmp
-
memory/4552-148-0x0000000000000000-mapping.dmp
-
memory/4556-151-0x0000000000000000-mapping.dmp
-
memory/4688-160-0x0000000000000000-mapping.dmp
-
memory/4864-147-0x0000000000000000-mapping.dmp