13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c

General

Target

13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe
Size

14.9MB
MD5

a2e629210482c695662cd4febf670577
SHA1

4583167b578350ed5f33e2dabb8ff9d973089b09
SHA256

13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c
SHA512

7b231d57af0ca7cb5a0ce5085bb2e282c8365b52f02cc0f6d7ba9cf716688e20ab82cb1e8aae6a7f84abbb866bfbcadd2919cea0f4ac707e1f82222166251bb4

Score

4^/10

link pdf

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\RevoUninstallerPro_Portable\Revo Uninstaller Pro Help.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 31 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000008853287a1100557365727300600008000400efbeee3a851a8853287a2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c0031000000000088536480100041646d696e00380008000400efbe8853287a885364802a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7a0031000000000045549d9811004465736b746f7000640008000400efbe8853287a45549d982a000000ec0100000000020000000000000000003a00000000004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 7c003100000000004554a09810005245564f554e7e310000640008000400efbe45549d984554a0982a000000023301000000070000000000000000000000000000005200650076006f0055006e0069006e007300740061006c006c0065007200500072006f005f0050006f0072007400610062006c006500000018000000	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

268 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe

pid process

1336 13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe

pid	process
268	explorer.exe

pid	process
1336	13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe

description	pid	process	target process
PID 1336 wrote to memory of 1720	1336	13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe	explorer.exe
PID 1336 wrote to memory of 1720	1336	13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe	explorer.exe
PID 1336 wrote to memory of 1720	1336	13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe	explorer.exe
PID 1336 wrote to memory of 1720	1336	13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe
"C:\Users\Admin\AppData\Local\Temp\13372c9ee33607078c92df2537d9600a4c4d3dd8b991fb56aacf281e10a9239c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Users\Admin\Desktop\RevoUninstallerPro_Portable
2⤵
PID:1720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RevoUninstallerPro_Portable\LicenseAgreement.txt
MD5
c18309977e230c3216a6f8d2f72e28c8

SHA1
e4112dc9cbe20b29de4d81f6eaf8512e9930a509

SHA256
bc19d086ec4998adf348a54cce92ad5ceae6a729fcc76b5d1b1f2f73f319df00

SHA512
08ed27de4b1f181f08b24eda1038f7dc12d8f3433ef61b95df7ac694d6009a93f2ff458a6defe5aa9cdd228b75c64f8d0af995d0926d9da21ebdae2b19a0535f

Download Submit
C:\Users\Admin\Desktop\RevoUninstallerPro_Portable\Revo Uninstaller Pro Help.pdf
MD5
7e1640923eb9fff9e7e7271ed9301649

SHA1
17a9bf056789fbafd0cb3cfdf44e4e54c5d3ce65

SHA256
4c597d92910d9be69bad33086ed960195008e4a362b93ad4e61467a15c5e19da

SHA512
7392bd149169de36034f6544ac477c788b98d9380ab9c205c5d6c69d78dea9174471f9101d71423e1ec01f5a2a9d0880233b73d6840fdd15fed3ee8f69ac9b40

Download Submit
C:\Users\Admin\Desktop\RevoUninstallerPro_Portable\RevoUPPort.exe
MD5
2bd423a31680a629d49706e0ead97da1

SHA1
1cc33dd011f9d97d45f8ae39712316196e015641

SHA256
0771b98294719f47447123fcc3a819db4710eef00f38b6232b5e06abd86d850c

SHA512
10644e6cb8faccfe26b2c4eed6b6f13d5ce6c4b702de02865a947ee010d46d051e341e41666c2c294a389d582483cba757ab477a2b44ef1fe248871ce0df74c1

Download Submit
C:\Users\Admin\Desktop\RevoUninstallerPro_Portable\rupilogs.rupldb
MD5
7ddce4fe7f6a3d48c3508690b98d042e

SHA1
0a083109d5e09de97921e0463d5d0ffb88e593d6

SHA256
96031cc05cde1082ba2d1a6aeefd631b4dc6e69491ed58d54eb53a0baecb5b18

SHA512
2ce91883711dd0d1385dd2acf4474ae9056ff3ca0ce2d4fd0fb48a1ba8770063d9d20455810623686d7e48bdc9b5a6199ade0263a558811406285835a7d9bc1f

Download Submit
memory/268-60-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download
memory/268-61-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1336-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1336-57-0x0000000074521000-0x0000000074523000-memory.dmp

Filesize
8KB

Download
memory/1720-58-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads