a910f47d7c5ce1f4dc1b09dbb3bcdd878d97acc2f3755e25ffa6ae64cc8771d7

General

Target

removeedge.bat
Size

2KB
MD5

5f51dfbc9b44b2d5f0d55699686a891b
SHA1

acfd75219ff08f9e96c45d2022ae4d9a59e89d77
SHA256

a910f47d7c5ce1f4dc1b09dbb3bcdd878d97acc2f3755e25ffa6ae64cc8771d7
SHA512

1b2d1f7879b02c1aa23795f9bbee1b2b60f3730e016ada76c39d3d5df6423d584040bf8adb408928a4e801ceb540dbc6e308d6e0f50e69e829eed45dec44d557

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	regedit.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2536 takeown.exe
2128 icacls.exe
2456 takeown.exe
3584 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2536 takeown.exe
2128 icacls.exe
2456 takeown.exe
3584 icacls.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2408 taskkill.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4292 regedit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetakeown.exe

description pid process

Token: SeDebugPrivilege 2408 taskkill.exe
Token: SeTakeOwnershipPrivilege 2536 takeown.exe

pid	process
2536	takeown.exe
2128	icacls.exe
2456	takeown.exe
3584	icacls.exe

pid	process
2536	takeown.exe
2128	icacls.exe
2456	takeown.exe
3584	icacls.exe

pid	process
2408	taskkill.exe

pid	process
4292	regedit.exe

description	pid	process
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3532 wrote to memory of 2408	3532	cmd.exe	taskkill.exe
PID 3532 wrote to memory of 2408	3532	cmd.exe	taskkill.exe
PID 3532 wrote to memory of 3580	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3580	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3720	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3720	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2536	3532	cmd.exe	takeown.exe
PID 3532 wrote to memory of 2536	3532	cmd.exe	takeown.exe
PID 3532 wrote to memory of 2128	3532	cmd.exe	icacls.exe
PID 3532 wrote to memory of 2128	3532	cmd.exe	icacls.exe
PID 3532 wrote to memory of 3084	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3084	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3600	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3600	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2456	3532	cmd.exe	takeown.exe
PID 3532 wrote to memory of 2456	3532	cmd.exe	takeown.exe
PID 3532 wrote to memory of 3584	3532	cmd.exe	icacls.exe
PID 3532 wrote to memory of 3584	3532	cmd.exe	icacls.exe
PID 3532 wrote to memory of 540	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 540	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3212	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3212	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2884	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2884	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2740	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2740	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2924	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2924	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2320	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2320	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 5100	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 5100	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2572	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2572	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 4292	3532	cmd.exe	regedit.exe
PID 3532 wrote to memory of 4292	3532	cmd.exe	regedit.exe
PID 3532 wrote to memory of 2024	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 2024	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 1964	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 1964	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 736	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 736	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 4196	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 4196	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3528	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 3528	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 4832	3532	cmd.exe	cmd.exe
PID 3532 wrote to memory of 4832	3532	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\removeedge.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
2⤵
PID:3720

C:\Windows\system32\takeown.exe
takeown /a /r /d Y /f C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\icacls.exe
icacls C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe /grant administrators:f /t
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""
2⤵
PID:3600

C:\Windows\system32\takeown.exe
takeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\Edge"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2456

C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft\Edge" /grant administrators:f /t
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""
2⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""
2⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""
2⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"
2⤵
PID:2572

C:\Windows\regedit.exe
regedit /s RemoveEdge.reg
2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""
2⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
2⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""
2⤵
PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RemoveEdge.reg
Filesize
263B

MD5
4c8a079090c727bc831413155239b6a2

SHA1
2d595495c067b1784a427d73bc6658167e13a2bb

SHA256
7cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108

SHA512
a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads