89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RevoUninProSetup.exe
Size

16.9MB
MD5

b0f15df675ff3ff11fe6eac7a32e4409
SHA1

59178aed358362c8fb3905e66170ac924c803879
SHA256

89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a
SHA512

3f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47
SSDEEP

393216:4S2H6AdClOaamBv1XONf50LdeJ/mXjGyh+OLTvrGVJCmY0mB:RE6AdDwhc5IeNxyh+OPDGVJCmnmB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RevoUninProSetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.tmp

Executes dropped EXE 1 IoCs

Processes:

RevoUninProSetup.tmp

pid process

1376 RevoUninProSetup.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2308 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2308 taskkill.exe

pid	process
1376	RevoUninProSetup.tmp

pid	process
2308	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2308	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmp

description	pid	process	target process
PID 868 wrote to memory of 1376	868	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 868 wrote to memory of 1376	868	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 868 wrote to memory of 1376	868	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 1376 wrote to memory of 2308	1376	RevoUninProSetup.tmp	taskkill.exe
PID 1376 wrote to memory of 2308	1376	RevoUninProSetup.tmp	taskkill.exe
PID 1376 wrote to memory of 2308	1376	RevoUninProSetup.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\is-5G3LL.tmp\RevoUninProSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5G3LL.tmp\RevoUninProSetup.tmp" /SL5="$E0058,17135947,196608,C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5G3LL.tmp\RevoUninProSetup.tmp
Filesize
1.2MB

MD5
5d46b017331b5c6acd69f35213277f2f

SHA1
8992114b0cb8d354376a956660f95f88bf7165e6

SHA256
800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773

SHA512
4465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec

Download Submit
memory/868-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/868-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1376-6-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1376-9-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download