Overview

overview

7

Static

static

4

RevoUninst...lp.pdf

windows7-x64

1

RevoUninst...lp.pdf

windows10-2004-x64

1

RevoUninst...rt.exe

windows7-x64

4

RevoUninst...rt.exe

windows10-2004-x64

1

RevoUninst...sh.ini

windows7-x64

1

RevoUninst...sh.ini

windows10-2004-x64

1

RevoUninst...Un.exe

windows7-x64

6

RevoUninst...Un.exe

windows10-2004-x64

6

RevoUninst...Un.exe

windows7-x64

6

RevoUninst...Un.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    351s
  • max time network
    362s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RevoUninstaller_Portable/x86/RevoUn.exe

  • Size

    12.2MB

  • MD5

    15657f176a5eea4c0f943da107962d24

  • SHA1

    2e4d2eaa1144ee1dd7d34fa580866a199e0012c7

  • SHA256

    c6762c436785680d7a363821fa7d5767ec71fea45473501dee8c47007bf2b2c4

  • SHA512

    880dbf849d041a96a61de84611c040bf674899bc0ecab693afe2cf911aa37cb537b83ecfd11525fce0d4758bdabe68092d17c6b5e2f4cde3fd58dc96f14bbf15

  • SSDEEP

    196608:EH14G7PwPWpGplR806IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIA8Zk:FPWpGplR8ZWk

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Registers COM server for autorun 1 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\x86\RevoUn.exe
    "C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\x86\RevoUn.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Program Files\7-Zip\Uninstall.exe
      "C:\Program Files\7-Zip\Uninstall.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Users\Admin\AppData\Local\Temp\7z9B9CDF48\Uninst.exe
        C:\Users\Admin\AppData\Local\Temp\7z9B9CDF48\Uninst.exe /N /D="C:\Program Files\7-Zip\"
        3⤵
        • Executes dropped EXE
        • Registers COM server for autorun
        • Modifies registry class
        PID:4980
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=744 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4144
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4340
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2900

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7z9B9CDF48\Uninst.exe
      Filesize

      14KB

      MD5

      ad782ffac62e14e2269bf1379bccbaae

      SHA1

      9539773b550e902a35764574a2be2d05bc0d8afc

      SHA256

      1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

      SHA512

      a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      860B

      MD5

      be0a819279589bdadf841c1dea2553c3

      SHA1

      2e703cc9aa1a2f0c34c43020b9c21049e3fd02a5

      SHA256

      f963d0ccbcfab5fb945f73ebbfeab2c28724be1ee9807bf38e852af04b7a8aa5

      SHA512

      dd49e60930f956221937326a7d0e4143cf23a1dca114bf73c9faaa2145c4b0155c59201d34dfa1cb903a28eaff7e5538d5db7e5e89955671f57ef82b9ecaa729

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      1KB

      MD5

      8ea4dbb3715f0f52d89dd4f5ed741c5a

      SHA1

      42cd4729935a87b9294c26903a7d057654264675

      SHA256

      72240677b7821c6098366d57f6fd7c11e0fbd8c53ac124f23495ad4532b13d77

      SHA512

      d7a11b7b271438731fe16c7b6a72f9ec12336f70fe9ee40d16dfb456f80ffb628aa416dc8785e858879084a8a20830eda69a05ee9957896338359d4a8d3939dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      2KB

      MD5

      644f97f8b2bd7aa62dfc5e9bda0b65f9

      SHA1

      f1193a02c603521f359ee4b0829dfa9bec5aef3a

      SHA256

      0c56624e3efab3696682ca1553b468ab94de7b62368cc5d6b8188c8a5db4c1a5

      SHA512

      5c3c623dbb6e5e7f7179107c83e57d5fd4925335a0bd04c10c6796c2211c6b2a4432b6955f504d3703c764ab85d0373f4b3c75bd7abfa6428673ca9d2c486f2e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      3KB

      MD5

      64a5dc9b6019f870316ea260af3c290e

      SHA1

      639374422b7d8b0ed1be7f8665b02a54050a0194

      SHA256

      a153e65f98645d65cec2085b17ba652249c94efd54eaaddf183e79699e641f19

      SHA512

      b8647f3a602c4f25b6123f441db3bf4fbaa086d9f9ebaa61fda88b0ea9f7ffa9c22a1813ef16cb980421383b341ec895f308d93cedb01f12b342822c50fd50d8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      3KB

      MD5

      123eec63219aa6dd29c7427804ce813f

      SHA1

      1657ce96812dee3cdc912a05df55a9df57bea17f

      SHA256

      8817abe78423526ef4a3e2a34e16e6ff0576865bb85eb71193e38af79307597a

      SHA512

      8ed3d161d65943ee203b0837c2c3414565d0003b26124df7d3f1526acd87a952dba557c2ef48a5fbe6725fe7a2271aa689821e35974291880b9a9d2d5264a488

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini
      Filesize

      998B

      MD5

      bcc89ffb1f8032d120f329e08d9ed49b

      SHA1

      399dad1f6b78ba114c1fa91ccf35eceb2465203a

      SHA256

      2ade7d99e0252db6c1fc8040fec0e301670729d3e074b17ef4d6b02448760bf1

      SHA512

      f970f97c5f71eeff24bd3241f57d315d977407b4d28e4791640d21a922363d2fc1979ea086791436deaf6422375465be700f34d081b2e7f0cc7eac5bd5206c8c

      Download Submit