Overview

overview

8

Static

static

3

Revo Unins....6.exe

windows7-x64

8

Revo Unins....6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Revo Uninstaller Pro 5.2.6.exe

  • Size

    18.5MB

  • MD5

    2413dc2fe7067dd7738d75446c140096

  • SHA1

    f246ac96e8eb790593ceb0e37896542efc67afe7

  • SHA256

    aa15d5ded58e1dcb2099806b996750c23c2bcb6026f9a5876a8a9ba0e86e5531

  • SHA512

    a49312f62dae510f3f986508fe7dd500650afe95d2f6b92081f33c77636ff5d73c0b3fbcb6b3dc8120b8b83a95f8d82e46cf529263859ec2197f9bdf234b1bcf

  • SSDEEP

    393216:gIBJiczqi8Alo2OtD6Zni1cOK8ZNK/WrH9PF2q5XFpBjFSF24S7ioXyj:RJ31z0VJOW79t2uXFp1FSE4AiCyj

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 62 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 5.2.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 5.2.6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\is-NB5P3.tmp\Revo Uninstaller Pro 5.2.6.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NB5P3.tmp\Revo Uninstaller Pro 5.2.6.tmp" /SL5="$40150,19073109,67072,C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 5.2.6.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\rundll32.exe
        "rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\Revo Uninstaller Pro\revoflt.inf
        3⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\System32\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
              PID:2296
        • C:\Program Files\Revo Uninstaller Pro\ruplp.exe
          "C:\Program Files\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
          3⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:1920
        • C:\Program Files\Revo Uninstaller Pro\RevoUninPro.exe
          "C:\Program Files\Revo Uninstaller Pro\RevoUninPro.exe" /bc
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\System32\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" /u /s "C:\Program Files\Revo Uninstaller Pro\RUExt.dll"
            4⤵
            • Loads dropped DLL
            PID:2996
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
          3⤵
          • Runs .reg file with regedit
          PID:2312
    • C:\Program Files\Revo Uninstaller Pro\RevoUninPro.exe
      "C:\Program Files\Revo Uninstaller Pro\RevoUninPro.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2744
    • C:\PROGRA~1\REVOUN~1\ruplp.exe
      C:\PROGRA~1\REVOUN~1\ruplp.exe -Embedding
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:1656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Revo Uninstaller Pro\RUExt.dll
      Filesize

      187KB

      MD5

      8b9964e06195fd375d126b424e236f03

      SHA1

      6f1741cfeb9fb70c34857dbba3e063c88c3c32fa

      SHA256

      bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f

      SHA512

      741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483

      Download Submit

    • C:\Program Files\Revo Uninstaller Pro\lang\english.ini
      Filesize

      122KB

      MD5

      568164d9ea62cae83ede626832d51331

      SHA1

      4cfca32417534738891a154b872147d1bbe3ce7b

      SHA256

      e82261578d254a099a59fa8e13b5ae99e672b8a10946a253a1f18886cfc89e5a

      SHA512

      5786acedea4be6e39b43c336374ac2bdc5807c69a99c8bb8752edf3bcc78d33b308b2b373d6c1c842af0b47523ac0c291e2c5f3d7b3591ee872ac96e62cd10fb

      Download Submit

    • C:\Program Files\Revo Uninstaller Pro\revoflt.inf
      Filesize

      2KB

      MD5

      edc78deb34de240c787b1011161e9a4e

      SHA1

      2d31275530dce33d3bc329991c8ad59e1b303577

      SHA256

      69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

      SHA512

      e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

      Download Submit

    • C:\Program Files\Revo Uninstaller Pro\ruplp.exe
      Filesize

      9.6MB

      MD5

      216b49b7eb7be44d7ed7367f3725285f

      SHA1

      cf0776ecbc163c738fd43767bedcc2a67acef423

      SHA256

      c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e

      SHA512

      060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb

      Download Submit

    • C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro5.lic
      Filesize

      64KB

      MD5

      e3c3103e93e2fdc50015dc6679d2ef6c

      SHA1

      37f5f17797719a2d92dece9ce9c1c1ca5c8a9108

      SHA256

      0857c9aa17dd73919316ac10dae5585714843ab38a8b10de28f25db5c640acfd

      SHA512

      dc5db358013e7c91a4b1506a441aa82fdb4359c34853ed7b2020d8bc0e5c29b33954820c8398e3dec78dd4554545e0f37cabf35a6d394d320f8a9a3293317cb6

      Download Submit

    • C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\data\cachedata.dat
      Filesize

      46KB

      MD5

      4b97ab0f0f4b03acb3d948b66914ca37

      SHA1

      833a185164577e0f32127d1d02cd75f2986e21f2

      SHA256

      df514160aa72921a5ef169163121b51a8247b3d93dcdf7065fdb2263769b1397

      SHA512

      459d2efc551d9053e0717de7a6f2701815139bbe2795fcd43ac40bb06f346b76f79eb2c60a8a3c84b360758b45750ec22c91abd6037f6643cde79d744ea23ab5

      Download Submit

    • C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\logFile.vslog
      Filesize

      295B

      MD5

      ed7e418f966cf9f4a6b0952e483fbbe4

      SHA1

      84226ff553bab1963918e78f43d909f51c7a6aa0

      SHA256

      74f081fd9a4750c6c3793892527c77b770a24478c626895f7a68efaf080d323a

      SHA512

      cc4109d50aa35764167f620b883ab90e859752211a3814da935428f04c71afbeb39c0536c646dd31f8397322825722bd4a4ac133210b0aeac18fc96bb7342cda

      Download Submit

    • C:\Windows\System32\drivers\revoflt.sys
      Filesize

      46KB

      MD5

      0006295c6c5f7fad92484785b9c8fac6

      SHA1

      7e50c90a91b92f943e951c1cd8809fe12fc75cc0

      SHA256

      4ba2879f2b82978110e4b3940ebfeb2ca2399660b0627998c6fea0bf33603b62

      SHA512

      37f02befaf3b988676af4e556cba142dfef78fd771d4c68f7744e92e789a5c1fd72afe2bb38e297e190f962a6ccf58c161f80bec2a7aacaf024256f25eb7bf03

      Download Submit

    • \Program Files\Revo Uninstaller Pro\RevoUninPro.exe
      Filesize

      24.1MB

      MD5

      5e2ff2230576765b06cc78525550b194

      SHA1

      1d0771dc3742e74f843832cd590499b5179b2b1f

      SHA256

      a61edc55db452493ac9cfce242a5fefba2229b75b2934277021f9fe4b9489527

      SHA512

      694a293c3b68dd8d220e65d4ad038caa20a198c26ab6c3d02e44d5485339b65f4dfdf23f89df517be81b5a2491e7c2f2f544d7a7cc480eae01330623fdbad418

      Download Submit

    • \Program Files\Revo Uninstaller Pro\unins000.exe
      Filesize

      923KB

      MD5

      0e156ad733d7a60cb0a9279ba3a75d94

      SHA1

      723ae81c938d0aecf1d1591d88fbf00beb3d49e2

      SHA256

      9896cfc60d5dc175dc2c1c4a9890af049fe8848695f2bec197f06ffbf8baec61

      SHA512

      fc89606145ecbe3c3499eb6171a2f3621b7fe0fb88067c03a971e6da84ddec00caace423ce5a773f7c04b25c73c8349baadb051bee921fcbb9e832a4782f52eb

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-NB5P3.tmp\Revo Uninstaller Pro 5.2.6.tmp
      Filesize

      913KB

      MD5

      c0989fb1a591ef0539bdae060b14f5d6

      SHA1

      0460fb232d3aba235b044fecc59ee6a104cf3abc

      SHA256

      fb086910b21b2bf40ed9fe21f81280d3b8968fe2cae88b55404a0721d4aa31e2

      SHA512

      fd935276ef7d2d199e5e98a5e2d4ebc37e2bed41dbea8c44fb74947890d6f9a56dba6cb0d2620ccf05d1ada042309ed644d877b502e05fdc47f6e77eae06d6aa

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-VP0J7.tmp\ISTask.dll
      Filesize

      66KB

      MD5

      86a1311d51c00b278cb7f27796ea442e

      SHA1

      ac08ac9d08f8f5380e2a9a65f4117862aa861a19

      SHA256

      e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

      SHA512

      129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-VP0J7.tmp\VclStylesInno.dll
      Filesize

      3.0MB

      MD5

      b0ca93ceb050a2feff0b19e65072bbb5

      SHA1

      7ebbbbe2d2acd8fd516f824338d254a33b69f08d

      SHA256

      0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

      SHA512

      37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-VP0J7.tmp\_isetup\_shfoldr.dll
      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      Download Submit

    • memory/2308-49-0x00000000005F0000-0x00000000005F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-42-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-76-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-75-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-74-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-73-0x0000000001F90000-0x0000000001F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-72-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-71-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-83-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-70-0x0000000001F80000-0x0000000001F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-68-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-67-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-66-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-65-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-64-0x0000000001F60000-0x0000000001F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-63-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-62-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-61-0x0000000001F50000-0x0000000001F51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-60-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-59-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-58-0x0000000000620000-0x0000000000621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-57-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-56-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-55-0x0000000000610000-0x0000000000611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-53-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-52-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-51-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-50-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-78-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-48-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-47-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-46-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-45-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-44-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-43-0x00000000005D0000-0x00000000005D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-77-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-41-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-40-0x00000000005C0000-0x00000000005C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-39-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-38-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-37-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-34-0x00000000005A0000-0x00000000005A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-33-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-32-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-31-0x0000000000540000-0x0000000000541000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-30-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-29-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-28-0x0000000000530000-0x0000000000531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-82-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-69-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-54-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-36-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-25-0x0000000000520000-0x0000000000521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-26-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-87-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-88-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-89-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-90-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-79-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-80-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-81-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-84-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-35-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-27-0x0000000007520000-0x0000000007660000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2308-101-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-292-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2308-23-0x0000000007200000-0x000000000751A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2308-19-0x00000000002D0000-0x00000000002E6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2308-15-0x0000000000400000-0x00000000004F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2400-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2400-2-0x0000000000401000-0x000000000040B000-memory.dmp

      Filesize

      40KB

      Download