Malware Analysis Report

2025-08-10 12:13

Sample ID 240527-x7j73sgd29
Target Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe
SHA256 74f5a370fba58e5cd4db293b3aa77dff4b4d828eaea02432833d5a8e70e33d07
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

74f5a370fba58e5cd4db293b3aa77dff4b4d828eaea02432833d5a8e70e33d07

Threat Level: Shows suspicious behavior

The file Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 19:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 19:29

Reported

2024-05-27 19:32

Platform

win7-20240419-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rm.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A
File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A
File created C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2628 wrote to memory of 2748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp
PID 2748 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"

C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe

"C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp" /SL5="$50158,17135947,196608,C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

MD5 47b3e307c1f50909f491ff53b3b1e862
SHA1 7bf7724f0d0d5d5b90a797d98bccd94cf0803bed
SHA256 788afd9fed177c7da7326531edff6948b16c80adec6f542bc4d3a91955763b9a
SHA512 32d9150db20feb162143f6e16657a07af38b1c1f87822a653c74e623071783b65612155f3cfe3f6da2eb36fc73ae835dbfbc7bcb5dd9a1c7b563a8c79c37d69f

\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe

MD5 b0f15df675ff3ff11fe6eac7a32e4409
SHA1 59178aed358362c8fb3905e66170ac924c803879
SHA256 89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a
SHA512 3f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47

memory/2628-50-0x0000000000401000-0x0000000000412000-memory.dmp

memory/2628-47-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U6M1L.tmp\RevoUninProSetup.tmp

MD5 5d46b017331b5c6acd69f35213277f2f
SHA1 8992114b0cb8d354376a956660f95f88bf7165e6
SHA256 800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773
SHA512 4465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec

memory/2748-56-0x0000000000400000-0x0000000000540000-memory.dmp

memory/2424-58-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2628-59-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2748-60-0x0000000000400000-0x0000000000540000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 19:29

Reported

2024-05-27 19:32

Platform

win10v2004-20240226-en

Max time kernel

160s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rm.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A
File opened for modification C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A
File created C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 1600 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 1600 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe
PID 936 wrote to memory of 4748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp
PID 936 wrote to memory of 4748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp
PID 936 wrote to memory of 4748 N/A C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp
PID 4748 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe
PID 4748 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe
PID 4748 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 2024 + Fix\Setup\RevoUninProSetup.exe"

C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe

"C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp" /SL5="$20240,17135947,196608,C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

MD5 47b3e307c1f50909f491ff53b3b1e862
SHA1 7bf7724f0d0d5d5b90a797d98bccd94cf0803bed
SHA256 788afd9fed177c7da7326531edff6948b16c80adec6f542bc4d3a91955763b9a
SHA512 32d9150db20feb162143f6e16657a07af38b1c1f87822a653c74e623071783b65612155f3cfe3f6da2eb36fc73ae835dbfbc7bcb5dd9a1c7b563a8c79c37d69f

C:\Program Files (x86)\VS Revo Group\Revo Uninstaller Pro\RevoUninProSetup.exe

MD5 b0f15df675ff3ff11fe6eac7a32e4409
SHA1 59178aed358362c8fb3905e66170ac924c803879
SHA256 89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a
SHA512 3f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47

memory/1600-36-0x0000000000400000-0x0000000000432000-memory.dmp

memory/936-45-0x0000000000400000-0x000000000043A000-memory.dmp

memory/936-47-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-47KFM.tmp\RevoUninProSetup.tmp

MD5 5d46b017331b5c6acd69f35213277f2f
SHA1 8992114b0cb8d354376a956660f95f88bf7165e6
SHA256 800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773
SHA512 4465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec

memory/4748-52-0x0000000000400000-0x0000000000540000-memory.dmp

memory/936-55-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4748-56-0x0000000000400000-0x0000000000540000-memory.dmp