Overview

overview

8

Static

static

3

Remove-Edge.exe

windows7-x64

7

Remove-Edge.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1402s
  • max time network
    1229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2023 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remove-Edge.exe

  • Size

    8.5MB

  • MD5

    90cd506989e066e6733006803bf45886

  • SHA1

    0e1da5ae0616ffb3636b78bb71b0412c08ee471e

  • SHA256

    d4f72966550109f0fa2a139e26b9ea21c4ec776911ade96a3552104f7cf2f926

  • SHA512

    5c2afcf55a14602ec640fe0ba5ac5aee4ebb94e891284c3a1b891cdd7dfdd2856fa76299ed055a8fcaf9528a5a61c15e69fc1d822e9a558359b16f1f2c9ba125

  • SSDEEP

    196608:I9oqdQmR5dA6lsuErSEEJwdF6OlvJHDO6YZYPXk0:I9dQ2ls+9JOh8Z8

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
    "C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
      "C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        setup.exe --uninstall --system-level --force-uninstall
        3⤵
        • Modifies Installed Components in the registry
        • Checks computer location settings
        • Executes dropped EXE
        • Registers COM server for autorun
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff61650eb10,0x7ff61650eb20,0x7ff61650eb30
          4⤵
          • Executes dropped EXE
          PID:636
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4500" "1700" "1532" "1696" "0" "0" "0" "0" "0" "0" "0" "0"
          4⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:2836
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4500" "1532" "1660" "1684" "0" "0" "0" "0" "0" "0" "0" "0"
          4⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    Filesize

    3.6MB

    MD5

    593b7497327222d69048f7f6204b1886

    SHA1

    56ee397b91b5235ad5fb3259e35676c633b46022

    SHA256

    4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e

    SHA512

    45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

    Download Submit
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    Filesize

    3.6MB

    MD5

    593b7497327222d69048f7f6204b1886

    SHA1

    56ee397b91b5235ad5fb3259e35676c633b46022

    SHA256

    4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e

    SHA512

    45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    870fea4e961e2fbd00110d3783e529be

    SHA1

    a948e65c6f73d7da4ffde4e8533c098a00cc7311

    SHA256

    76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

    SHA512

    0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    870fea4e961e2fbd00110d3783e529be

    SHA1

    a948e65c6f73d7da4ffde4e8533c098a00cc7311

    SHA256

    76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

    SHA512

    0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\_ctypes.pyd
    Filesize

    120KB

    MD5

    df6be515e183a0e4dbe9cdda17836664

    SHA1

    a5e8796189631c1aaca6b1c40bc5a23eb20b85db

    SHA256

    af598ae52ddc6869f24d36a483b77988385a5bbbf4618b2e2630d89d10a107ee

    SHA512

    b3f23530de7386cc4dcf6ad39141240e56d36322e3d4041e40d69d80dd529d1f8ef5f65b55cdca9641e378603b5252acfe5d50f39f0c6032fd4c307f73ef9253

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\_ctypes.pyd
    Filesize

    120KB

    MD5

    df6be515e183a0e4dbe9cdda17836664

    SHA1

    a5e8796189631c1aaca6b1c40bc5a23eb20b85db

    SHA256

    af598ae52ddc6869f24d36a483b77988385a5bbbf4618b2e2630d89d10a107ee

    SHA512

    b3f23530de7386cc4dcf6ad39141240e56d36322e3d4041e40d69d80dd529d1f8ef5f65b55cdca9641e378603b5252acfe5d50f39f0c6032fd4c307f73ef9253

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\base_library.zip
    Filesize

    1.7MB

    MD5

    c6b150f2eca4eec01765bdae9a78e097

    SHA1

    1eaf2a18863af05d4f8183978ea6ecadd21ed3de

    SHA256

    b8e074772e3f8203de0e4313ac274de4d4e5b5e847a3fe3dc4171413ea2a4502

    SHA512

    697cdcd1f23cf67683836cca593df643f3f2d3f139fdbf86bf990bd7c29a6721d8199fbff491cb234d2fb65bcd4f32f07796b8b522b895a52095d17628beb846

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\libffi-8.dll
    Filesize

    37KB

    MD5

    d86a9d75380fab7640bb950aeb05e50e

    SHA1

    1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

    SHA256

    68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

    SHA512

    18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\libffi-8.dll
    Filesize

    37KB

    MD5

    d86a9d75380fab7640bb950aeb05e50e

    SHA1

    1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

    SHA256

    68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

    SHA512

    18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\python311.dll
    Filesize

    5.5MB

    MD5

    a72993488cecd88b3e19487d646f88f6

    SHA1

    5d359f4121e0be04a483f9ad1d8203ffc958f9a0

    SHA256

    aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

    SHA512

    c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\python311.dll
    Filesize

    5.5MB

    MD5

    a72993488cecd88b3e19487d646f88f6

    SHA1

    5d359f4121e0be04a483f9ad1d8203ffc958f9a0

    SHA256

    aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

    SHA512

    c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI43402\setup.exe
    Filesize

    3.6MB

    MD5

    593b7497327222d69048f7f6204b1886

    SHA1

    56ee397b91b5235ad5fb3259e35676c633b46022

    SHA256

    4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e

    SHA512

    45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

    Download Submit