8b9f71d06784f768fc00982967c0e1b441b0290fb1081e9fcdd32740903f9ccd

Analysis

max time kernel
120s
max time network
80s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RevoUninProSetup.exe
Size

16.9MB
MD5

dd8fa302db072a5260c7964baa18337b
SHA1

6fe1ab556642138bc0b24819f31a974ec3c29e28
SHA256

4f26003b13581a017f037d2946a3efc232ec48530426838460b4bf04c2c4de61
SHA512

2ab0cd5192d7f7e2efac4db9da96ba4ae5968b9b3dac4f8deb2ca84e67f2118c2a59d71b1fa61d27f877063b855da7ad807c1a7af43e805d2a9d4dca51f137d1
SSDEEP

393216:Q1RAyYMaG/ThnJD9fltg5Y+wel5RWmA/M611cmF1ec/lRm:XyYMaGlJdg5Y+pRB61iw1LTm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RevoUninProSetup.tmp

pid	Process
1372	RevoUninProSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4636	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description	pid	Process
Token: SeDebugPrivilege	4636	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmp

description	pid	Process	procid_target
PID 3748 wrote to memory of 1372	3748	RevoUninProSetup.exe	75
PID 3748 wrote to memory of 1372	3748	RevoUninProSetup.exe	75
PID 3748 wrote to memory of 1372	3748	RevoUninProSetup.exe	75
PID 1372 wrote to memory of 4636	1372	RevoUninProSetup.tmp	76
PID 1372 wrote to memory of 4636	1372	RevoUninProSetup.tmp	76
PID 1372 wrote to memory of 4636	1372	RevoUninProSetup.tmp	76

C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\is-PR590.tmp\RevoUninProSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PR590.tmp\RevoUninProSetup.tmp" /SL5="$5020A,17147580,196608,C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PR590.tmp\RevoUninProSetup.tmp

Filesize
1.2MB

MD5
7b467f94cad328d102e5e38c94290b5f

SHA1
590359ffbeecc81246f79b9ea40bb8372df7e597

SHA256
f4c8335513592ac93f93cbfea954665d29f747950b1a84ee54aa90d6bd8fd097

SHA512
b271c76eea22cef85bc20160798a9b78e43054f090f2269945bea5cf5454df6f27b762230663ff710998cf642ca91a57be733fc86cea988ff2b8264293da8d1d

Download Submit
memory/1372-6-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1372-9-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3748-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3748-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download