Analysis

  • max time kernel
    160s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 19:29

General

  • Target

    Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe

  • Size

    18.0MB

  • MD5

    a772b8ad72f4d801ac4217c82a91c7a2

  • SHA1

    d5ae988d7253c4ddf6c62fa609d08edf51c20838

  • SHA256

    74f5a370fba58e5cd4db293b3aa77dff4b4d828eaea02432833d5a8e70e33d07

  • SHA512

    c0552490f25695b78c865705d59ff9f3f931d8daf4df05e52be94fa529d8000cf17e070f347464b00c28b42eeb641d81672c2e165824e4e3f0485871d2fc8162

  • SSDEEP

    393216:kZCWWOsxWSq/RnoVf+SgBIdecX67Ya8TR8lFIZCGM5Ap0IKM8n:kUWWOBJaxgkewO8TR8fUCGM5AKIKM8n

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
      "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp" /SL5="$20240,17135947,196608,C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2088

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe

            Filesize

            16.9MB

            MD5

            b0f15df675ff3ff11fe6eac7a32e4409

            SHA1

            59178aed358362c8fb3905e66170ac924c803879

            SHA256

            89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a

            SHA512

            3f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47

          • C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

            Filesize

            1.8MB

            MD5

            47b3e307c1f50909f491ff53b3b1e862

            SHA1

            7bf7724f0d0d5d5b90a797d98bccd94cf0803bed

            SHA256

            788afd9fed177c7da7326531edff6948b16c80adec6f542bc4d3a91955763b9a

            SHA512

            32d9150db20feb162143f6e16657a07af38b1c1f87822a653c74e623071783b65612155f3cfe3f6da2eb36fc73ae835dbfbc7bcb5dd9a1c7b563a8c79c37d69f

          • C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp

            Filesize

            1.2MB

            MD5

            5d46b017331b5c6acd69f35213277f2f

            SHA1

            8992114b0cb8d354376a956660f95f88bf7165e6

            SHA256

            800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773

            SHA512

            4465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec

          • memory/936-45-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

          • memory/936-47-0x0000000000401000-0x0000000000412000-memory.dmp

            Filesize

            68KB

          • memory/936-55-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

          • memory/1600-36-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/4748-52-0x0000000000400000-0x0000000000540000-memory.dmp

            Filesize

            1.2MB

          • memory/4748-56-0x0000000000400000-0x0000000000540000-memory.dmp

            Filesize

            1.2MB