Analysis Overview
SHA256
a72d568653e84ccb39046221ec4c8fa70ef4a1ab9aa2fe47433a626feea4992a
Threat Level: Likely malicious
The file uninstall-edge.bat was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Possible privilege escalation attempt
Modifies file permissions
Kills process with taskkill
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 09:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 09:03
Reported
2024-08-07 09:05
Platform
win7-20240705-en
Max time kernel
16s
Max time network
16s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"
C:\Windows\regedit.exe
regedit /s RemoveEdge.reg
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""
Network
Files
C:\Users\Admin\Desktop\RemoveEdge.reg
| MD5 | 4c8a079090c727bc831413155239b6a2 |
| SHA1 | 2d595495c067b1784a427d73bc6658167e13a2bb |
| SHA256 | 7cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108 |
| SHA512 | a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 09:03
Reported
2024-08-07 09:07
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Windows\regedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
C:\Windows\system32\takeown.exe
takeown /a /r /d Y /f C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
C:\Windows\system32\icacls.exe
icacls C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe /grant administrators:f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""
C:\Windows\system32\takeown.exe
takeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\Edge"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft\Edge" /grant administrators:f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"
C:\Windows\regedit.exe
regedit /s RemoveEdge.reg
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\RemoveEdge.reg
| MD5 | 4c8a079090c727bc831413155239b6a2 |
| SHA1 | 2d595495c067b1784a427d73bc6658167e13a2bb |
| SHA256 | 7cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108 |
| SHA512 | a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4 |