2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe
Size

7.0MB
MD5

40a060537c183fcf3e9aafae16d40239
SHA1

0465e5bed1836c51390e5954652eb4b8d8e0c4a8
SHA256

2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063
SHA512

71090448edce671923c6cfe4ad3bfb7328cabd444facf9e4f2494869623456cfc1c3ac64c58148119d405b274e0ddf7d56c19f099105848ae394cda776cce9d0
SSDEEP

196608:2cCuika88MiXKKP11MjDo89ub0bVKaCoa8oEFODs6qJ:oODaj8oEFMs3J

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

revosetup_free_1.94_master.exe

pid process

1412 revosetup_free_1.94_master.exe

pid	process
1412	revosetup_free_1.94_master.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe

Loads dropped DLL 2 IoCs

Processes:

revosetup_free_1.94_master.exe

pid process

1412 revosetup_free_1.94_master.exe
1412 revosetup_free_1.94_master.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1412	revosetup_free_1.94_master.exe
1412	revosetup_free_1.94_master.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe	nsis_installer_2

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exerevosetup_free_1.94_master.exe

pid process

4880 2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe
1412 revosetup_free_1.94_master.exe

pid	process
4880	2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe
1412	revosetup_free_1.94_master.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe

description	pid	process	target process
PID 4880 wrote to memory of 1412	4880	2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe	revosetup_free_1.94_master.exe
PID 4880 wrote to memory of 1412	4880	2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe	revosetup_free_1.94_master.exe
PID 4880 wrote to memory of 1412	4880	2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe	revosetup_free_1.94_master.exe

C:\Users\Admin\AppData\Local\Temp\2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe
"C:\Users\Admin\AppData\Local\Temp\2900e4ec2f5d5b9110e3e850670ecb50c0619ff6b1c0e823138d496820412063.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe
"C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe

Filesize
2.5MB

MD5
979e536f75c1512ca0a13e07835a40fd

SHA1
bf6f4ba40d0f10646e4489b42f0ba462a3ae2089

SHA256
9db1d558be2f207e6ecc0f0210cf9cef0e109ead048790239b4c758ae33bab28

SHA512
d1af8dfb085594b73a258b7506a70ee08e205a3a1fd65c39d53d24d1ab7718a92611ef4d95ef2089ab557e4a14cfbb0d24456bd1efa04018ad0dc2ab1266856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0005390F\revosetup_free_1.94_master.exe

Filesize
2.5MB

MD5
979e536f75c1512ca0a13e07835a40fd

SHA1
bf6f4ba40d0f10646e4489b42f0ba462a3ae2089

SHA256
9db1d558be2f207e6ecc0f0210cf9cef0e109ead048790239b4c758ae33bab28

SHA512
d1af8dfb085594b73a258b7506a70ee08e205a3a1fd65c39d53d24d1ab7718a92611ef4d95ef2089ab557e4a14cfbb0d24456bd1efa04018ad0dc2ab1266856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm17CF.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm17CF.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
memory/1412-132-0x0000000000000000-mapping.dmp

Download