8e5387b8e5b1d7437979f00b42b6b481281f9ced1c3a7101f6a5832402563e5b

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Size

16.8MB
MD5

ab0d159cbe7e1f7f9adea455506f73b1
SHA1

a780054d4721e433387091233fd16c67ecbf3bec
SHA256

21a5b0e1ab9d88eec56dcd1c2ff050742d73e87325922e0840502d211b77b22a
SHA512

a28fb07060a33405a3d26d92c6479f77e4c403092b71471d0516cb4a431d2af55e48740c14622c6353066f53945ae8185aafb15f15b643ac4254dd26dd157ddc
SSDEEP

393216:LwA1pdJwTb+1yXa+v5wfFUSwwV6YWlw9Muo4O9W3XfCX5wRIa4o:MADdJYVNCtUS1VWlwa4O2Xfs5O4o

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RevoUninProSetup.tmp

pid process

2224 RevoUninProSetup.tmp
Loads dropped DLL 1 IoCs

Processes:

RevoUninProSetup.exe

pid process

2480 RevoUninProSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2224	RevoUninProSetup.tmp

pid	process
2480	RevoUninProSetup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmptaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2820 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2820 taskkill.exe

pid	process
2820	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2820	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmp

description	pid	process	target process
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2480 wrote to memory of 2224	2480	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2224 wrote to memory of 2820	2224	RevoUninProSetup.tmp	taskkill.exe
PID 2224 wrote to memory of 2820	2224	RevoUninProSetup.tmp	taskkill.exe
PID 2224 wrote to memory of 2820	2224	RevoUninProSetup.tmp	taskkill.exe
PID 2224 wrote to memory of 2820	2224	RevoUninProSetup.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\is-61CDV.tmp\RevoUninProSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-61CDV.tmp\RevoUninProSetup.tmp" /SL5="$400EC,16976201,196608,C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-61CDV.tmp\RevoUninProSetup.tmp

Filesize
1.2MB

MD5
fd527a16a9dd4fb499dbdaa78e1c2126

SHA1
91e2fa21419f53e5116235e0391ecb2a7fe8c8e0

SHA256
ca4deef34c1b27f92b0e571d057c5a71f786181aceb07797cfd59ad0b4027baf

SHA512
feea2a838d34d31d0053c6030866db4f9e3dad79cdd69088879912e205c465190fa29a798b41e025fef08c0d01774db107fc50d90aa0a0b8614aeb2acd0dbc9b

Download Submit
memory/2224-8-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2224-11-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2480-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2480-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download