Analysis
-
max time kernel
160s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe
Resource
win10v2004-20240226-en
General
-
Target
Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe
-
Size
18.0MB
-
MD5
a772b8ad72f4d801ac4217c82a91c7a2
-
SHA1
d5ae988d7253c4ddf6c62fa609d08edf51c20838
-
SHA256
74f5a370fba58e5cd4db293b3aa77dff4b4d828eaea02432833d5a8e70e33d07
-
SHA512
c0552490f25695b78c865705d59ff9f3f931d8daf4df05e52be94fa529d8000cf17e070f347464b00c28b42eeb641d81672c2e165824e4e3f0485871d2fc8162
-
SSDEEP
393216:kZCWWOsxWSq/RnoVf+SgBIdecX67Ya8TR8lFIZCGM5Ap0IKM8n:kUWWOBJaxgkewO8TR8fUCGM5AKIKM8n
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RevoUninProSetup.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RevoUninProSetup.tmp -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rm.exe RevoUninProSetup.exe -
Executes dropped EXE 2 IoCs
pid Process 936 RevoUninProSetup.exe 4748 RevoUninProSetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe RevoUninProSetup.exe File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe RevoUninProSetup.exe File created C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.ini RevoUninProSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 4744 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4744 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1600 wrote to memory of 936 1600 RevoUninProSetup.exe 91 PID 1600 wrote to memory of 936 1600 RevoUninProSetup.exe 91 PID 1600 wrote to memory of 936 1600 RevoUninProSetup.exe 91 PID 936 wrote to memory of 4748 936 RevoUninProSetup.exe 96 PID 936 wrote to memory of 4748 936 RevoUninProSetup.exe 96 PID 936 wrote to memory of 4748 936 RevoUninProSetup.exe 96 PID 4748 wrote to memory of 4744 4748 RevoUninProSetup.tmp 99 PID 4748 wrote to memory of 4744 4748 RevoUninProSetup.tmp 99 PID 4748 wrote to memory of 4744 4748 RevoUninProSetup.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp" /SL5="$20240,17135947,196608,C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.9MB
MD5b0f15df675ff3ff11fe6eac7a32e4409
SHA159178aed358362c8fb3905e66170ac924c803879
SHA25689d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a
SHA5123f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47
-
Filesize
1.8MB
MD547b3e307c1f50909f491ff53b3b1e862
SHA17bf7724f0d0d5d5b90a797d98bccd94cf0803bed
SHA256788afd9fed177c7da7326531edff6948b16c80adec6f542bc4d3a91955763b9a
SHA51232d9150db20feb162143f6e16657a07af38b1c1f87822a653c74e623071783b65612155f3cfe3f6da2eb36fc73ae835dbfbc7bcb5dd9a1c7b563a8c79c37d69f
-
Filesize
1.2MB
MD55d46b017331b5c6acd69f35213277f2f
SHA18992114b0cb8d354376a956660f95f88bf7165e6
SHA256800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773
SHA5124465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec