72a070524c85666844ca7ee14f2e9280faabda2664dcc3bfde927ac67c66fc61

Sharing

Copy URL

Twitter E-mail

General

Target

Revo.Uninstaller.Pro.v5.3.0.exe
Size

20.7MB
Sample

240823-sxxcfavdpm
MD5

ab260bfafed128f7519aaca44e8482da
SHA1

ccef21b5db0834698fc75d2b9f249e298bc050b5
SHA256

72a070524c85666844ca7ee14f2e9280faabda2664dcc3bfde927ac67c66fc61
SHA512

33ec4e2f8cefaf1e523dc1d705576ad04c74df4d3ed3aee4f6d4cf4ef83f24ee862dfc30552a0219109fa1548a10c31ce2310a418593013537d56cba6c122f3a
SSDEEP

393216:6v24Hctnm9hV2y4dl7IAo+hZNPCX+O/3/qDAtrBbx/jasTuYBnTJ/tlfkBaEUUE+:6HHHV/4dlDo+hL4+OvSDQFxmsTuY1TJW

Score

8^/10

Malware Config

Targets

- Target
  
  Revo.Uninstaller.Pro.v5.3.0.exe
- Size
  
  20.7MB
- MD5
  
  ab260bfafed128f7519aaca44e8482da
- SHA1
  
  ccef21b5db0834698fc75d2b9f249e298bc050b5
- SHA256
  
  72a070524c85666844ca7ee14f2e9280faabda2664dcc3bfde927ac67c66fc61
- SHA512
  
  33ec4e2f8cefaf1e523dc1d705576ad04c74df4d3ed3aee4f6d4cf4ef83f24ee862dfc30552a0219109fa1548a10c31ce2310a418593013537d56cba6c122f3a
- SSDEEP
  
  393216:6v24Hctnm9hV2y4dl7IAo+hZNPCX+O/3/qDAtrBbx/jasTuYBnTJ/tlfkBaEUUE+:6HHHV/4dlDo+hL4+OvSDQFxmsTuY1TJW
Score

8^/10

discovery persistence privilege_escalation
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/RUExt.dll
- Size
  
  188KB
- MD5
  
  da34eb78000e53cbce43a5e58525dbb7
- SHA1
  
  adfe7061495bae245ae5d4e7b7cbf4c4f616d6c8
- SHA256
  
  46d1b809e2b76858182de1efa1e71fd2bc30767d2bd94322b36937ec81ab7fe2
- SHA512
  
  dfd7f2f7bf5d5a6a233c93536d1011a2fe305360cfb3775d94f01651392e02d52df6a83a8344da64d990eaae27c11c121500540620f57f02aa7de0f20bdb5b42
- SSDEEP
  
  3072:xoEsHmpaBhl5TMNL1NEu0IzInds+oUBUoujjwu3nbzoSSm6b:x2HmiXwLrE3MAejN3u
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies system executable filetype association
  persistence
behavioral3 behavioral4
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/RevoAppBar.exe
- Size
  
  9.3MB
- MD5
  
  8827e78b875bd9a2958a6008d6674c60
- SHA1
  
  f1d2a121d6cd2a7fab624f1e48226e2db151f6f4
- SHA256
  
  aabb2fa70f69a3a6f25c8652c1ad250dae818b0bb826b1bf7fea58c9caf67fa9
- SHA512
  
  f8d790731bd3f9bed85eec34c4e986f7b04efcc9b6f6bb8588bf11fbb0cc26640c78152ca97ad38ce424f756959b38b5c9b1128fc8f1c40c9e94a230fad86f1c
- SSDEEP
  
  98304:skOjtw8X57Q+FYXYzR1WTYmECaU4r2A0p/5chEuuZkJar:skOxw/QM5Ihbar
Score

1^/10
behavioral5 behavioral6
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/RevoCmd.exe
- Size
  
  161KB
- MD5
  
  68b84ec374285e817273b5fdcf02f176
- SHA1
  
  dd7734c6023a3ad10759ca8c891f5036d8a51dae
- SHA256
  
  2fcb8111dd537ab411ab903b03ba4da8a15f944a0b6d03822b476b10f71f284b
- SHA512
  
  c8075f0117019184ca0ad7a148a9c7066876ffec11a3ec64498e38dbc5bb45ca9b19693872ade18ed996df00b219884d62c4f7fa0627d0415e567a30be0d4cfc
- SSDEEP
  
  3072:3Ow34MYDr9qIqA2tNEASbzp13p90YJquN5K:3Ow41TF2MA+08rk
Score

6^/10

discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7 behavioral8
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/RevoUnPro.exe
- Size
  
  24.1MB
- MD5
  
  967fcc1b34a4c13c5d6edab866d74ceb
- SHA1
  
  656ed69a5b4b8d40594135e7de3254d98263fcb6
- SHA256
  
  ccfd11d2a73602edf17f342851fed25d1121ef1a5b3e4e89cecf246a209e2767
- SHA512
  
  ba2055906b675cf08ec25d02a2d1c728caa68057ff12eaf2176976175c2885d8a4a6996257e9e30805502b3d53dfc8ca829f0aa487f11fe14950f6c0e8cecabb
- SSDEEP
  
  196608:/FDWbJ+qN3CmoM+n6Pqp2s5T6rzvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIf:/FK1+qN2Mk6PqoshXFhlqPWpyR1pVU
Score

1^/10
behavioral10 behavioral9
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/Vista/revoflt.sys
- Size
  
  39KB
- MD5
  
  498c3d4d44382a96812a0e0ff28d575b
- SHA1
  
  c34586b789ca5fe4336ab23ad6ff6eeb991c9612
- SHA256
  
  23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba
- SHA512
  
  ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1
- SSDEEP
  
  768:5UKM0N2alRO3gpeBJNUG+ML1naP6IXW0hzbhL7bCEMmo2ocAhu:DX+RtTL1naP6IzbhjCEDo2/Ahu
Score

1^/10
behavioral11 behavioral12
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/Win10/revoflt.sys
- Size
  
  37KB
- MD5
  
  ec8e58e6b58b4fcde77431cda3a24c0e
- SHA1
  
  ebb474009b2a2fbce648adff4b8b797fcd00c997
- SHA256
  
  25667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd
- SHA512
  
  e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4
- SSDEEP
  
  768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
Score

1^/10
behavioral13
- Target
  
  $EXEDIR/RevoUninstallerProPortable/x64/revoflt.sys
- Size
  
  46KB
- MD5
  
  0006295c6c5f7fad92484785b9c8fac6
- SHA1
  
  7e50c90a91b92f943e951c1cd8809fe12fc75cc0
- SHA256
  
  4ba2879f2b82978110e4b3940ebfeb2ca2399660b0627998c6fea0bf33603b62
- SHA512
  
  37f02befaf3b988676af4e556cba142dfef78fd771d4c68f7744e92e789a5c1fd72afe2bb38e297e190f962a6ccf58c161f80bec2a7aacaf024256f25eb7bf03
- SSDEEP
  
  768:F1uOPkxgu01UuLjQL1nHXSdW7W0fz1f/BPKg9aUUf2h5:FQqk7HL1n3/f/Z3zUfI
Score

1^/10
behavioral14
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  192639861e3dc2dc5c08bb8f8c7260d5
- SHA1
  
  58d30e460609e22fa0098bc27d928b689ef9af78
- SHA256
  
  23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
- SHA512
  
  6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
- SSDEEP
  
  192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  11092c1d3fbb449a60695c44f9f3d183
- SHA1
  
  b89d614755f2e943df4d510d87a7fc1a3bcf5a33
- SHA256
  
  2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
- SHA512
  
  c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
- SSDEEP
  
  96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  $PLUGINSDIR/nsProcess.dll
- Size
  
  4KB
- MD5
  
  f0438a894f3a7e01a4aae8d1b5dd0289
- SHA1
  
  b058e3fcfb7b550041da16bf10d8837024c38bf6
- SHA256
  
  30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
- SHA512
  
  f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
- SSDEEP
  
  48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  RUExt.dll
- Size
  
  188KB
- MD5
  
  da34eb78000e53cbce43a5e58525dbb7
- SHA1
  
  adfe7061495bae245ae5d4e7b7cbf4c4f616d6c8
- SHA256
  
  46d1b809e2b76858182de1efa1e71fd2bc30767d2bd94322b36937ec81ab7fe2
- SHA512
  
  dfd7f2f7bf5d5a6a233c93536d1011a2fe305360cfb3775d94f01651392e02d52df6a83a8344da64d990eaae27c11c121500540620f57f02aa7de0f20bdb5b42
- SSDEEP
  
  3072:xoEsHmpaBhl5TMNL1NEu0IzInds+oUBUoujjwu3nbzoSSm6b:x2HmiXwLrE3MAejN3u
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies system executable filetype association
  persistence
behavioral21 behavioral22
- Target
  
  RevoAppBar.exe
- Size
  
  9.3MB
- MD5
  
  8827e78b875bd9a2958a6008d6674c60
- SHA1
  
  f1d2a121d6cd2a7fab624f1e48226e2db151f6f4
- SHA256
  
  aabb2fa70f69a3a6f25c8652c1ad250dae818b0bb826b1bf7fea58c9caf67fa9
- SHA512
  
  f8d790731bd3f9bed85eec34c4e986f7b04efcc9b6f6bb8588bf11fbb0cc26640c78152ca97ad38ce424f756959b38b5c9b1128fc8f1c40c9e94a230fad86f1c
- SSDEEP
  
  98304:skOjtw8X57Q+FYXYzR1WTYmECaU4r2A0p/5chEuuZkJar:skOxw/QM5Ihbar
Score

1^/10
behavioral23 behavioral24
- Target
  
  RevoCmd.exe
- Size
  
  161KB
- MD5
  
  68b84ec374285e817273b5fdcf02f176
- SHA1
  
  dd7734c6023a3ad10759ca8c891f5036d8a51dae
- SHA256
  
  2fcb8111dd537ab411ab903b03ba4da8a15f944a0b6d03822b476b10f71f284b
- SHA512
  
  c8075f0117019184ca0ad7a148a9c7066876ffec11a3ec64498e38dbc5bb45ca9b19693872ade18ed996df00b219884d62c4f7fa0627d0415e567a30be0d4cfc
- SSDEEP
  
  3072:3Ow34MYDr9qIqA2tNEASbzp13p90YJquN5K:3Ow41TF2MA+08rk
Score

6^/10

discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral25 behavioral26
- Target
  
  RevoUnPro.exe
- Size
  
  24.1MB
- MD5
  
  967fcc1b34a4c13c5d6edab866d74ceb
- SHA1
  
  656ed69a5b4b8d40594135e7de3254d98263fcb6
- SHA256
  
  ccfd11d2a73602edf17f342851fed25d1121ef1a5b3e4e89cecf246a209e2767
- SHA512
  
  ba2055906b675cf08ec25d02a2d1c728caa68057ff12eaf2176976175c2885d8a4a6996257e9e30805502b3d53dfc8ca829f0aa487f11fe14950f6c0e8cecabb
- SSDEEP
  
  196608:/FDWbJ+qN3CmoM+n6Pqp2s5T6rzvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIf:/FK1+qN2Mk6PqoshXFhlqPWpyR1pVU
Score

1^/10
behavioral27 behavioral28
- Target
  
  Vista/revoflt.sys
- Size
  
  39KB
- MD5
  
  498c3d4d44382a96812a0e0ff28d575b
- SHA1
  
  c34586b789ca5fe4336ab23ad6ff6eeb991c9612
- SHA256
  
  23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba
- SHA512
  
  ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1
- SSDEEP
  
  768:5UKM0N2alRO3gpeBJNUG+ML1naP6IXW0hzbhL7bCEMmo2ocAhu:DX+RtTL1naP6IzbhjCEDo2/Ahu
Score

1^/10
behavioral29 behavioral30
- Target
  
  Win10/revoflt.sys
- Size
  
  37KB
- MD5
  
  ec8e58e6b58b4fcde77431cda3a24c0e
- SHA1
  
  ebb474009b2a2fbce648adff4b8b797fcd00c997
- SHA256
  
  25667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd
- SHA512
  
  e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4
- SSDEEP
  
  768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
Score

1^/10
behavioral31
- Target
  
  revoflt.sys
- Size
  
  46KB
- MD5
  
  0006295c6c5f7fad92484785b9c8fac6
- SHA1
  
  7e50c90a91b92f943e951c1cd8809fe12fc75cc0
- SHA256
  
  4ba2879f2b82978110e4b3940ebfeb2ca2399660b0627998c6fea0bf33603b62
- SHA512
  
  37f02befaf3b988676af4e556cba142dfef78fd771d4c68f7744e92e789a5c1fd72afe2bb38e297e190f962a6ccf58c161f80bec2a7aacaf024256f25eb7bf03
- SSDEEP
  
  768:F1uOPkxgu01UuLjQL1nHXSdW7W0fz1f/BPKg9aUUf2h5:FQqk7HL1n3/f/Z3zUfI
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Drops file in Drivers directory

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Adds Run key to start application

Checks installed software on the system

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Checks installed software on the system

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32