Analysis Overview
SHA256
798a7c7a1dfe7d822f1c85c6f05965f54f03a3d695cad876f7586bd0f07735c4
Threat Level: Likely malicious
The file Remove-EdgeWeb.exe was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Boot or Logon Autostart Execution: Active Setup
Possible privilege escalation attempt
Modifies file permissions
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Drops desktop.ini file(s)
Launches sc.exe
Drops file in Windows directory
Detects Pyinstaller
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 20:05
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 20:05
Reported
2024-11-08 20:07
Platform
win11-20241007-en
Max time kernel
80s
Max time network
81s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe
"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"
C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe
"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --system-level --force-uninstall
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x238,0x23c,0x240,0x210,0x244,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb30
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" um "C:\Users\Admin\AppData\Local\Temp\{3A5F2396-5C8F-4F1F-9B67-6CCA6C990E61}.tmp"
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --msedgewebview --system-level --force-uninstall
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb30
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe 2>$null"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo csv
C:\Windows\SysWOW64\sc.exe
sc delete edgeupdate
C:\Windows\SysWOW64\sc.exe
sc delete edgeupdatem
C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.169:443 | tcp | |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| GB | 92.123.128.140:443 | r.bing.com | tcp |
| US | 20.42.73.30:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| US | 172.202.64.254:443 | arc-ring.msedge.net | tcp |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| US | 150.171.69.254:443 | mcr-ring.msedge.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI12882\python311.dll
| MD5 | 9c83364db2337cedb50cefce5772bf28 |
| SHA1 | 6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc |
| SHA256 | 89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16 |
| SHA512 | e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\VCRUNTIME140.dll
| MD5 | 17f01742d17d9ffa7d8b3500978fc842 |
| SHA1 | 2da2ff031da84ac8c2d063a964450642e849144d |
| SHA256 | 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e |
| SHA512 | c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\base_library.zip
| MD5 | 81cd6d012885629791a9e3d9320c444e |
| SHA1 | 53268184fdbddf8909c349ed3c6701abe8884c31 |
| SHA256 | a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd |
| SHA512 | d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_ctypes.pyd
| MD5 | 9c2163d73a2ecdaf34a613c703a13440 |
| SHA1 | f4fcb291c311695d1f5da95020583ecc2aa18ec6 |
| SHA256 | 3bdb7150ad0304035a5f25c69ec6d6ea25c87d056b6713f29a8be96f2b17d057 |
| SHA512 | fd1f96220421a3b63a6b6046cb985093aa41a17ea24adc114c9c54a80d7558be90fcfe56032787ab653ed340b3c8c5b75bd334875d68c85e9a725595cd53779f |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\libffi-8.dll
| MD5 | 74d2b5e0120a6faae57042a9894c4430 |
| SHA1 | 592f115016a964b7eb42860b589ed988e9fff314 |
| SHA256 | b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0 |
| SHA512 | f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_socket.pyd
| MD5 | 943124d117b6e9548f6a9d0c34009b52 |
| SHA1 | 1acacb610ed41ab78eea2d093a35f48284698bd0 |
| SHA256 | 5a60284ec53036fedad0057a564f709ab328c8ac77084191d6350d2001004fe2 |
| SHA512 | 89eb4b4163fc3ae29dce7cdd7ca28392c378e5858bbd43a3f556c836284c067406d67eb228047767202c955539cbeaef4228bd2aa8c25627f96d56c35877e89d |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_lzma.pyd
| MD5 | e40cbb898cb17b0f60a67216a6b5cc4d |
| SHA1 | dc724af9e03a02e1121697a94603bda9d4cff345 |
| SHA256 | ceb38183cc7f2b513588f9d6d1713d115cee127ad06d146de5b230504e126538 |
| SHA512 | 5646ecbf555d8ab369c2c03dca720aa738d1af515fb7302ceffbfcfa65661083c009d6a5aa723d09bb330e10b10ec8509450f4c1b90733c4aeb85c895d4d63bd |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_hashlib.pyd
| MD5 | 61ff2a1a01d6dcd0626441c6888f2bf3 |
| SHA1 | ecacdb63666d539c03d2a0efdf4b30b24824d3cb |
| SHA256 | ae886b9bf59f27bbe4f846972bc22baf550cae46dc6dbc820eafad523ae7da04 |
| SHA512 | 6c089ac9299efb84f6e48259726be799c51b0a2a6cd67104ca8b43cf1aaa6e838ec34c5cfc09c484c93efb59b24bd85aa3a83f098d3e95b6bc01a1fd09943638 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_decimal.pyd
| MD5 | 75f984ae9e97d34293aa1b452baeb15d |
| SHA1 | 5d6de679ed6fd1155f997bdd2b686ec5d1be4f13 |
| SHA256 | edc9caa73ae4e606012152a6531336c667092cd14a1f03f3166ec8e0b25b48a7 |
| SHA512 | 34a7c72ac5f3f9a28c3a64e6e7d318a5ec81c6e22e03a0e173d65745ba6d8eb1eb3bc411d43678345448977d078849171c506814f0b96f650024a51082b50fe4 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\_bz2.pyd
| MD5 | e4519f30e22cd8d4bfe7059d60183ce0 |
| SHA1 | 40fb4def438aa07738961a9f25e7ea1be0c60e7f |
| SHA256 | 580f42dedd0e70bd7431916ee27db3202b822712af03f418546da89a4c0ad0b1 |
| SHA512 | 5271a99202c9a1e5266a0deaf58c65f0a8fced8b2f1019e80260a79f64b3afdaf22dca72c218c9b3253afe12ac803c5d1ca955b8b29f1c481eff1d584352b02b |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\unicodedata.pyd
| MD5 | 53f8f7e0caaece4a0977a1a6a4663197 |
| SHA1 | 37a259658c970c3aaf527e32454c208cd19331a7 |
| SHA256 | cb85c4932833fc0f5606c6e774a4b9661adcd1a0f8146294eca7ff27418de26c |
| SHA512 | a3ffa42bc0c7c0529e7936397a4b644f38fec3fae13ac4890f23dd905ce33fe81fe208e0d7f2fcb6f34515f6c95dd030f457d2725bae5b6d4f58646fd84ebf6d |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
| MD5 | 593b7497327222d69048f7f6204b1886 |
| SHA1 | 56ee397b91b5235ad5fb3259e35676c633b46022 |
| SHA256 | 4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e |
| SHA512 | 45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\select.pyd
| MD5 | e64bdec75ee2e467343742db636c6105 |
| SHA1 | 32645de632215f6410abc1e7102a98cac127ae95 |
| SHA256 | 109146def651028ad4d788a7c6712558f246417410248e2cbcdf0e8c11efad77 |
| SHA512 | 7219b52f4f71048ce1c96aeba4b14d12e8366f7265bc06292f036511ee4b47df7be56e438d88915d92772879ec4d25bb1217e34dfea427b391334edc16705f60 |
C:\Users\Admin\AppData\Local\Temp\_MEI12882\libcrypto-3.dll
| MD5 | 9a76997e6836c479c5e1993cbb3cefae |
| SHA1 | 6747a82434daa76239c68e1f75c26f4420f4832d |
| SHA256 | bdbf2ff122354b0e219df81293de186cecfd966fce64e3831b798ffd7c3fc815 |
| SHA512 | 5fb3f7eeb770f1bdcb06558081441e9fc9bbc618059e33f6864afeb3474033ec1be036cbc5503b74cb56b82894976f03f87e15f1ef5e5bf779de78e15a0c2cdf |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
| MD5 | c8551bf731bde8d889808accf13236a4 |
| SHA1 | de78afa8a7291719b899dde04fdbcdf4f5c502d2 |
| SHA256 | d7c59d4b06cc1dbfbd075ade51660edc8f796ec7966c5f065291a87fae379041 |
| SHA512 | 03acbd75fa6e7299d491b018e8d6d839e8d7bbe0aa3a232a1a30bd34a1cae929b51742b8195d607c75d97514393bea203fb986aed273c0585d87c340384ff1a8 |
C:\Windows\TEMP\MsEdgeCrashpad\settings.dat
| MD5 | 6564bf4e6e4d0e214e3589ac4b3e2d38 |
| SHA1 | 7998f237ca2bfc96c4bdf13514784d1aede205e6 |
| SHA256 | b6c7af6f5e534b76f2b754b47ad193ff25f897d218402eedbc3a78293d113ed0 |
| SHA512 | daa08428d41753e59919a37999eda7a8b4149a115671b5dda01e2d23389d306d37fe7b52e88005263f3dda1c3eaa644a3bb7befd7ce388c28f5d11a353f8fe28 |
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
| MD5 | 35af4fe2fcee7a6fd6d5093cb736f40a |
| SHA1 | efdbdbea83a0a98526455494412724691b4c81a3 |
| SHA256 | ab35f3af6970168ad6029946075bf3ba91d5a0d2da3f4ba70f75fd2959a1ddc9 |
| SHA512 | 8fbf989ab022f028505297c042b3e352606b5e04e2a7f75e3a7e95dcd00a307835c56b5fa80d8cac7c3bbfb6735245521ff6347577503cb6c7060256d6129fc4 |
memory/956-59-0x00000000052B0000-0x00000000052E6000-memory.dmp
memory/956-60-0x0000000005930000-0x0000000005F5A000-memory.dmp
memory/956-61-0x00000000058A0000-0x00000000058C2000-memory.dmp
memory/956-62-0x0000000006190000-0x00000000061F6000-memory.dmp
memory/956-63-0x0000000006200000-0x0000000006266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mfco2ndu.vcz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/956-72-0x0000000006270000-0x00000000065C7000-memory.dmp
memory/956-73-0x0000000006730000-0x000000000674E000-memory.dmp
memory/956-74-0x0000000006780000-0x00000000067CC000-memory.dmp
memory/956-75-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/956-76-0x0000000006C80000-0x0000000006C9A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | c0636f2d138baca01dbb2eedb99bf3d5 |
| SHA1 | 3b927899db0f3e2cb510782592887dc02fc3e400 |
| SHA256 | 10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a |
| SHA512 | 0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d |
memory/2388-80-0x0000000005D00000-0x0000000006057000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd521d05655fd04d4f7c98c2da27a54a |
| SHA1 | 4e09d53317c019493797f1a29f74f168cc37584e |
| SHA256 | 94a03550df620e8d2768d1eb79a4c84566b2177f61af58840aa1a60eee7a6f5b |
| SHA512 | 79dccbc2a2a2bf75baf286ded8e39055b2e2429efd46854d1e6eecc331ec1f38628e91d5c709a9ea759a1640bf76a2f9baa24ea42a71588f461430bcac643cd3 |
memory/2388-90-0x0000000007410000-0x0000000007444000-memory.dmp
memory/2388-91-0x0000000070820000-0x000000007086C000-memory.dmp
memory/2388-100-0x00000000073F0000-0x000000000740E000-memory.dmp
memory/2388-101-0x00000000074E0000-0x0000000007584000-memory.dmp
memory/2388-102-0x00000000076C0000-0x00000000076DC000-memory.dmp
memory/2388-103-0x0000000007880000-0x000000000788A000-memory.dmp
memory/2388-104-0x0000000007930000-0x0000000007956000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d547fce56ed0e9d4fa26932afc975dd |
| SHA1 | 32ed15c80b49e22325b66b83dd55077ae3668c04 |
| SHA256 | 5cfb18b79cb0dcf71b06ea0e51c1c16df74c42b07267d0c95dcc6e4ad6d3ac9f |
| SHA512 | 3ee4d7400034fcd98455c87befe775253d02dd2d839cd2fda3123ae3445f5784b7abcff90e7930be7af698ab2eb8cf50573f2d3b49eb0301585265f3dee50af7 |
memory/3216-115-0x0000000070820000-0x000000007086C000-memory.dmp
memory/2640-133-0x0000000005E80000-0x00000000061D7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 84965f86b3aeb3c4a35b1c7403c9aa93 |
| SHA1 | 5ec4076812a02462611b245212248e9cef52d601 |
| SHA256 | 6173c20bd12cc5a16a388a39c7f9c0264e40e5d64ac2f8186f768a6a0f12321a |
| SHA512 | 758afe1e8da63718e5ea6623e0d73a3e73df98337e416e71a960713226701a221d2bd632327542f96fb2432b12ca5950dba2cf61b57c028fed84ed82d6e6917c |
memory/2640-135-0x0000000070820000-0x000000007086C000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0b9737ee-5465-4c08-8b33-cfb81831bd66.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 20:05
Reported
2024-11-08 20:08
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\edge.ps1
Network
Files
memory/2708-0-0x00007FFF856F3000-0x00007FFF856F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcurfaf0.x20.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2708-9-0x000001E3C5AA0000-0x000001E3C5AC2000-memory.dmp
memory/2708-10-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp
memory/2708-11-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp
memory/2708-12-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp
memory/2708-14-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp
memory/2708-16-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp