Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 20:05
Behavioral task
behavioral1
Sample
Remove-EdgeWeb.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
edge.ps1
Resource
win11-20241007-en
General
-
Target
Remove-EdgeWeb.exe
-
Size
7.7MB
-
MD5
e593600b27b955018094cff096c98cea
-
SHA1
ca675c0a032a5a646d6205180d0e18125876d47d
-
SHA256
798a7c7a1dfe7d822f1c85c6f05965f54f03a3d695cad876f7586bd0f07735c4
-
SHA512
71599f3558a9c7e3b6bfd1cd554a7821d6c8edce5d593cb9e76d17dbead8f4f467e6300e95e57cc2b3f9480115234be58e451355ad926b849754522ba953ba75
-
SSDEEP
196608:D/8Olb2w9+L0YFqQxA10++MvJHDO6D3U/7F1gG:Dplq5L0HQK1HnEzFaG
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
setup.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Key deleted \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4580 takeown.exe 2828 icacls.exe 2824 takeown.exe 1772 icacls.exe -
Executes dropped EXE 4 IoCs
Processes:
setup.exesetup.exesetup.exesetup.exepid process 2444 setup.exe 1900 setup.exe 2372 setup.exe 4632 setup.exe -
Loads dropped DLL 4 IoCs
Processes:
Remove-EdgeWeb.exepid process 3048 Remove-EdgeWeb.exe 3048 Remove-EdgeWeb.exe 3048 Remove-EdgeWeb.exe 3048 Remove-EdgeWeb.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4580 takeown.exe 2828 icacls.exe 2824 takeown.exe 1772 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini setup.exe -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 4660 sc.exe 4864 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 2388 powershell.exe 3216 powershell.exe 2640 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeicacls.execmd.exeRemove-EdgeWeb.exepowershell.exepowershell.exepowershell.exereg.execmd.exeFileCoAuth.exetakeown.exetakeown.exeicacls.exepowershell.execmd.exesc.exesc.execmd.exeRemove-EdgeWeb.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remove-EdgeWeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remove-EdgeWeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 13 IoCs
Processes:
setup.exeBackgroundTransferHost.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas setup.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
setup.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2444 setup.exe 2444 setup.exe 2444 setup.exe 2444 setup.exe 2444 setup.exe 2444 setup.exe 2372 setup.exe 2372 setup.exe 2372 setup.exe 2372 setup.exe 956 powershell.exe 956 powershell.exe 2388 powershell.exe 2388 powershell.exe 3216 powershell.exe 3216 powershell.exe 2640 powershell.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
wevtutil.exesetup.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exetakeown.exetakeown.exedescription pid process Token: SeSecurityPrivilege 1972 wevtutil.exe Token: SeBackupPrivilege 1972 wevtutil.exe Token: SeBackupPrivilege 2444 setup.exe Token: SeRestorePrivilege 2444 setup.exe Token: SeBackupPrivilege 2372 setup.exe Token: SeRestorePrivilege 2372 setup.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 3216 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeTakeOwnershipPrivilege 4580 takeown.exe Token: SeTakeOwnershipPrivilege 2824 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup.exepid process 2444 setup.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
Remove-EdgeWeb.exeRemove-EdgeWeb.exesetup.exesetup.execmd.exedescription pid process target process PID 1288 wrote to memory of 3048 1288 Remove-EdgeWeb.exe Remove-EdgeWeb.exe PID 1288 wrote to memory of 3048 1288 Remove-EdgeWeb.exe Remove-EdgeWeb.exe PID 1288 wrote to memory of 3048 1288 Remove-EdgeWeb.exe Remove-EdgeWeb.exe PID 3048 wrote to memory of 2444 3048 Remove-EdgeWeb.exe setup.exe PID 3048 wrote to memory of 2444 3048 Remove-EdgeWeb.exe setup.exe PID 2444 wrote to memory of 1900 2444 setup.exe setup.exe PID 2444 wrote to memory of 1900 2444 setup.exe setup.exe PID 2444 wrote to memory of 1972 2444 setup.exe wevtutil.exe PID 2444 wrote to memory of 1972 2444 setup.exe wevtutil.exe PID 3048 wrote to memory of 2372 3048 Remove-EdgeWeb.exe setup.exe PID 3048 wrote to memory of 2372 3048 Remove-EdgeWeb.exe setup.exe PID 2372 wrote to memory of 4632 2372 setup.exe setup.exe PID 2372 wrote to memory of 4632 2372 setup.exe setup.exe PID 3048 wrote to memory of 956 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 956 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 956 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2388 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2388 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2388 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 3216 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 3216 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 3216 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2640 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2640 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 2640 3048 Remove-EdgeWeb.exe powershell.exe PID 3048 wrote to memory of 1400 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 1400 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 1400 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4572 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 4572 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 4572 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 1192 3048 Remove-EdgeWeb.exe schtasks.exe PID 3048 wrote to memory of 1192 3048 Remove-EdgeWeb.exe schtasks.exe PID 3048 wrote to memory of 1192 3048 Remove-EdgeWeb.exe schtasks.exe PID 3048 wrote to memory of 4864 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4864 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4864 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4660 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4660 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4660 3048 Remove-EdgeWeb.exe sc.exe PID 3048 wrote to memory of 4692 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 4692 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 4692 3048 Remove-EdgeWeb.exe reg.exe PID 3048 wrote to memory of 3424 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 3424 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 3424 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4508 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4508 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4508 3048 Remove-EdgeWeb.exe cmd.exe PID 4508 wrote to memory of 2824 4508 cmd.exe takeown.exe PID 4508 wrote to memory of 2824 4508 cmd.exe takeown.exe PID 4508 wrote to memory of 2824 4508 cmd.exe takeown.exe PID 4508 wrote to memory of 1772 4508 cmd.exe icacls.exe PID 4508 wrote to memory of 1772 4508 cmd.exe icacls.exe PID 4508 wrote to memory of 1772 4508 cmd.exe icacls.exe PID 3048 wrote to memory of 4828 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4828 3048 Remove-EdgeWeb.exe cmd.exe PID 3048 wrote to memory of 4828 3048 Remove-EdgeWeb.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exeC:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --system-level --force-uninstall3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exeC:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x238,0x23c,0x240,0x210,0x244,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb304⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" um "C:\Users\Admin\AppData\Local\Temp\{3A5F2396-5C8F-4F1F-9B67-6CCA6C990E61}.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exeC:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --msedgewebview --system-level --force-uninstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exeC:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb304⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe 2>$null"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""3⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f3⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo csv3⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\sc.exesc delete edgeupdate3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\sc.exesc delete edgeupdatem3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""3⤵
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4580 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""3⤵
- System Location Discovery: System Language Discovery
PID:4828
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3192
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:3408
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:5060
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
Filesize
17KB
MD58d547fce56ed0e9d4fa26932afc975dd
SHA132ed15c80b49e22325b66b83dd55077ae3668c04
SHA2565cfb18b79cb0dcf71b06ea0e51c1c16df74c42b07267d0c95dcc6e4ad6d3ac9f
SHA5123ee4d7400034fcd98455c87befe775253d02dd2d839cd2fda3123ae3445f5784b7abcff90e7930be7af698ab2eb8cf50573f2d3b49eb0301585265f3dee50af7
-
Filesize
17KB
MD584965f86b3aeb3c4a35b1c7403c9aa93
SHA15ec4076812a02462611b245212248e9cef52d601
SHA2566173c20bd12cc5a16a388a39c7f9c0264e40e5d64ac2f8186f768a6a0f12321a
SHA512758afe1e8da63718e5ea6623e0d73a3e73df98337e416e71a960713226701a221d2bd632327542f96fb2432b12ca5950dba2cf61b57c028fed84ed82d6e6917c
-
Filesize
16KB
MD5bd521d05655fd04d4f7c98c2da27a54a
SHA14e09d53317c019493797f1a29f74f168cc37584e
SHA25694a03550df620e8d2768d1eb79a4c84566b2177f61af58840aa1a60eee7a6f5b
SHA51279dccbc2a2a2bf75baf286ded8e39055b2e2429efd46854d1e6eecc331ec1f38628e91d5c709a9ea759a1640bf76a2f9baa24ea42a71588f461430bcac643cd3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0b9737ee-5465-4c08-8b33-cfb81831bd66.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
79KB
MD5e4519f30e22cd8d4bfe7059d60183ce0
SHA140fb4def438aa07738961a9f25e7ea1be0c60e7f
SHA256580f42dedd0e70bd7431916ee27db3202b822712af03f418546da89a4c0ad0b1
SHA5125271a99202c9a1e5266a0deaf58c65f0a8fced8b2f1019e80260a79f64b3afdaf22dca72c218c9b3253afe12ac803c5d1ca955b8b29f1c481eff1d584352b02b
-
Filesize
105KB
MD59c2163d73a2ecdaf34a613c703a13440
SHA1f4fcb291c311695d1f5da95020583ecc2aa18ec6
SHA2563bdb7150ad0304035a5f25c69ec6d6ea25c87d056b6713f29a8be96f2b17d057
SHA512fd1f96220421a3b63a6b6046cb985093aa41a17ea24adc114c9c54a80d7558be90fcfe56032787ab653ed340b3c8c5b75bd334875d68c85e9a725595cd53779f
-
Filesize
194KB
MD575f984ae9e97d34293aa1b452baeb15d
SHA15d6de679ed6fd1155f997bdd2b686ec5d1be4f13
SHA256edc9caa73ae4e606012152a6531336c667092cd14a1f03f3166ec8e0b25b48a7
SHA51234a7c72ac5f3f9a28c3a64e6e7d318a5ec81c6e22e03a0e173d65745ba6d8eb1eb3bc411d43678345448977d078849171c506814f0b96f650024a51082b50fe4
-
Filesize
48KB
MD561ff2a1a01d6dcd0626441c6888f2bf3
SHA1ecacdb63666d539c03d2a0efdf4b30b24824d3cb
SHA256ae886b9bf59f27bbe4f846972bc22baf550cae46dc6dbc820eafad523ae7da04
SHA5126c089ac9299efb84f6e48259726be799c51b0a2a6cd67104ca8b43cf1aaa6e838ec34c5cfc09c484c93efb59b24bd85aa3a83f098d3e95b6bc01a1fd09943638
-
Filesize
145KB
MD5e40cbb898cb17b0f60a67216a6b5cc4d
SHA1dc724af9e03a02e1121697a94603bda9d4cff345
SHA256ceb38183cc7f2b513588f9d6d1713d115cee127ad06d146de5b230504e126538
SHA5125646ecbf555d8ab369c2c03dca720aa738d1af515fb7302ceffbfcfa65661083c009d6a5aa723d09bb330e10b10ec8509450f4c1b90733c4aeb85c895d4d63bd
-
Filesize
67KB
MD5943124d117b6e9548f6a9d0c34009b52
SHA11acacb610ed41ab78eea2d093a35f48284698bd0
SHA2565a60284ec53036fedad0057a564f709ab328c8ac77084191d6350d2001004fe2
SHA51289eb4b4163fc3ae29dce7cdd7ca28392c378e5858bbd43a3f556c836284c067406d67eb228047767202c955539cbeaef4228bd2aa8c25627f96d56c35877e89d
-
Filesize
1.4MB
MD581cd6d012885629791a9e3d9320c444e
SHA153268184fdbddf8909c349ed3c6701abe8884c31
SHA256a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73
-
Filesize
3.3MB
MD59a76997e6836c479c5e1993cbb3cefae
SHA16747a82434daa76239c68e1f75c26f4420f4832d
SHA256bdbf2ff122354b0e219df81293de186cecfd966fce64e3831b798ffd7c3fc815
SHA5125fb3f7eeb770f1bdcb06558081441e9fc9bbc618059e33f6864afeb3474033ec1be036cbc5503b74cb56b82894976f03f87e15f1ef5e5bf779de78e15a0c2cdf
-
Filesize
34KB
MD574d2b5e0120a6faae57042a9894c4430
SHA1592f115016a964b7eb42860b589ed988e9fff314
SHA256b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231
-
Filesize
4.7MB
MD59c83364db2337cedb50cefce5772bf28
SHA16a65ce4bec369e2e2f6aa19e52ac556ceb3445fc
SHA25689b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16
SHA512e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48
-
Filesize
26KB
MD5e64bdec75ee2e467343742db636c6105
SHA132645de632215f6410abc1e7102a98cac127ae95
SHA256109146def651028ad4d788a7c6712558f246417410248e2cbcdf0e8c11efad77
SHA5127219b52f4f71048ce1c96aeba4b14d12e8366f7265bc06292f036511ee4b47df7be56e438d88915d92772879ec4d25bb1217e34dfea427b391334edc16705f60
-
Filesize
3.6MB
MD5593b7497327222d69048f7f6204b1886
SHA156ee397b91b5235ad5fb3259e35676c633b46022
SHA2564963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e
SHA51245999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1
-
Filesize
1.1MB
MD553f8f7e0caaece4a0977a1a6a4663197
SHA137a259658c970c3aaf527e32454c208cd19331a7
SHA256cb85c4932833fc0f5606c6e774a4b9661adcd1a0f8146294eca7ff27418de26c
SHA512a3ffa42bc0c7c0529e7936397a4b644f38fec3fae13ac4890f23dd905ce33fe81fe208e0d7f2fcb6f34515f6c95dd030f457d2725bae5b6d4f58646fd84ebf6d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD535af4fe2fcee7a6fd6d5093cb736f40a
SHA1efdbdbea83a0a98526455494412724691b4c81a3
SHA256ab35f3af6970168ad6029946075bf3ba91d5a0d2da3f4ba70f75fd2959a1ddc9
SHA5128fbf989ab022f028505297c042b3e352606b5e04e2a7f75e3a7e95dcd00a307835c56b5fa80d8cac7c3bbfb6735245521ff6347577503cb6c7060256d6129fc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
Filesize2KB
MD5c8551bf731bde8d889808accf13236a4
SHA1de78afa8a7291719b899dde04fdbcdf4f5c502d2
SHA256d7c59d4b06cc1dbfbd075ade51660edc8f796ec7966c5f065291a87fae379041
SHA51203acbd75fa6e7299d491b018e8d6d839e8d7bbe0aa3a232a1a30bd34a1cae929b51742b8195d607c75d97514393bea203fb986aed273c0585d87c340384ff1a8
-
Filesize
152B
MD56564bf4e6e4d0e214e3589ac4b3e2d38
SHA17998f237ca2bfc96c4bdf13514784d1aede205e6
SHA256b6c7af6f5e534b76f2b754b47ad193ff25f897d218402eedbc3a78293d113ed0
SHA512daa08428d41753e59919a37999eda7a8b4149a115671b5dda01e2d23389d306d37fe7b52e88005263f3dda1c3eaa644a3bb7befd7ce388c28f5d11a353f8fe28