72a070524c85666844ca7ee14f2e9280faabda2664dcc3bfde927ac67c66fc61

Analysis

max time kernel
53s
max time network
36s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revo.Uninstaller.Pro.v5.3.0.exe
Size

20.7MB
MD5

ab260bfafed128f7519aaca44e8482da
SHA1

ccef21b5db0834698fc75d2b9f249e298bc050b5
SHA256

72a070524c85666844ca7ee14f2e9280faabda2664dcc3bfde927ac67c66fc61
SHA512

33ec4e2f8cefaf1e523dc1d705576ad04c74df4d3ed3aee4f6d4cf4ef83f24ee862dfc30552a0219109fa1548a10c31ce2310a418593013537d56cba6c122f3a
SSDEEP

393216:6v24Hctnm9hV2y4dl7IAo+hZNPCX+O/3/qDAtrBbx/jasTuYBnTJ/tlfkBaEUUE+:6HHHV/4dlDo+hL4+OvSDQFxmsTuY1TJW

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET87F5.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET87F5.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\revoflt.sys	RUNDLL32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	ruplp.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
2368	RevoUninPro.exe
1644	ruplp.exe
1824	RevoUninPro.exe
3048	ruplp.exe

Loads dropped DLL 18 IoCs

pid	Process
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
2196	regsvr32.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
560	Revo.Uninstaller.Pro.v5.3.0.exe
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hrvatski.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\indonesian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\german.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sys	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguesebrazil.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\polish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\turkish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bulgarian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\japanese.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese_standard.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Revo Uninstaller Pro Help.pdf	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\azerbaijani.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\danish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\finnish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sys	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\gujarati.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\macedonian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\romanian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\vietnamese.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\albanian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sys	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hellenic.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\kurdish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\thai.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\ukrainian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txt	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\Estonian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hindi.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\simplifiedchinese.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\spanish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\swedish.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hebrew.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\italiano.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovak.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\traditionalchinese.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\reg_lp.bat	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.inf	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldb	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.inf	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bengali.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hungarian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\korean.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\norwegian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbianLatin.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovenian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\armenian.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.ini	Revo.Uninstaller.Pro.v5.3.0.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\french.ini	Revo.Uninstaller.Pro.v5.3.0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revo.Uninstaller.Pro.v5.3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL\AppID = "{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS\ = "0"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\ = "LicProtector Object"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0	ruplp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE
Token: SeRestorePrivilege	1304	RUNDLL32.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2368	RevoUninPro.exe
2368	RevoUninPro.exe
1824	RevoUninPro.exe
1824	RevoUninPro.exe
1824	RevoUninPro.exe
1824	RevoUninPro.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1304	560	Revo.Uninstaller.Pro.v5.3.0.exe	29
PID 560 wrote to memory of 1304	560	Revo.Uninstaller.Pro.v5.3.0.exe	29
PID 560 wrote to memory of 1304	560	Revo.Uninstaller.Pro.v5.3.0.exe	29
PID 560 wrote to memory of 1304	560	Revo.Uninstaller.Pro.v5.3.0.exe	29
PID 1304 wrote to memory of 2552	1304	RUNDLL32.EXE	30
PID 1304 wrote to memory of 2552	1304	RUNDLL32.EXE	30
PID 1304 wrote to memory of 2552	1304	RUNDLL32.EXE	30
PID 2552 wrote to memory of 1804	2552	runonce.exe	31
PID 2552 wrote to memory of 1804	2552	runonce.exe	31
PID 2552 wrote to memory of 1804	2552	runonce.exe	31
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2196	560	Revo.Uninstaller.Pro.v5.3.0.exe	33
PID 560 wrote to memory of 2368	560	Revo.Uninstaller.Pro.v5.3.0.exe	34
PID 560 wrote to memory of 2368	560	Revo.Uninstaller.Pro.v5.3.0.exe	34
PID 560 wrote to memory of 2368	560	Revo.Uninstaller.Pro.v5.3.0.exe	34
PID 560 wrote to memory of 2368	560	Revo.Uninstaller.Pro.v5.3.0.exe	34
PID 560 wrote to memory of 1644	560	Revo.Uninstaller.Pro.v5.3.0.exe	35
PID 560 wrote to memory of 1644	560	Revo.Uninstaller.Pro.v5.3.0.exe	35
PID 560 wrote to memory of 1644	560	Revo.Uninstaller.Pro.v5.3.0.exe	35
PID 560 wrote to memory of 1644	560	Revo.Uninstaller.Pro.v5.3.0.exe	35
PID 560 wrote to memory of 1824	560	Revo.Uninstaller.Pro.v5.3.0.exe	37
PID 560 wrote to memory of 1824	560	Revo.Uninstaller.Pro.v5.3.0.exe	37
PID 560 wrote to memory of 1824	560	Revo.Uninstaller.Pro.v5.3.0.exe	37
PID 560 wrote to memory of 1824	560	Revo.Uninstaller.Pro.v5.3.0.exe	37

C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.v5.3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.v5.3.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\system32\RUNDLL32.EXE
  RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:1804
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2196
- C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
  "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2368
- C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
  "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1644
- C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
  "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1824

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

Filesize
187KB

MD5
8b9964e06195fd375d126b424e236f03

SHA1
6f1741cfeb9fb70c34857dbba3e063c88c3c32fa

SHA256
bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f

SHA512
741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini

Filesize
123KB

MD5
00d7babcb1fca39669a305acc4e6bc4e

SHA1
caa71de90128acf6e8d812e02aa8ba4622bf8454

SHA256
f0f1890de8a60f87297d6de21146977060a3b5d82e09523bced0c238e94f5d2e

SHA512
9f1348f6ee7325b7d3381865bda4d71807da45c941c3b40c7671df04a6558832dfd03f25f5664250b43b641117d7d3d7c71f7e81b747cbc559fc5b8169033f66

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

Filesize
2KB

MD5
edc78deb34de240c787b1011161e9a4e

SHA1
2d31275530dce33d3bc329991c8ad59e1b303577

SHA256
69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

SHA512
e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

Download Submit
C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro5.lic

Filesize
64KB

MD5
8462a9b69c76a9603a4143d51fbc201e

SHA1
4473590f93f94f22c340a354516191c3c0ba6532

SHA256
fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8

SHA512
2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

Download Submit
C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\logFile.vslog

Filesize
322B

MD5
e32c4fd63407af1dff945c224dfbea41

SHA1
3f483e5afa254a00d7fd53ce354035734e75485f

SHA256
99eb46656ea293fb42425b47a007134389e395d48aec17f5dfd83188280120fa

SHA512
e077c3c04cb0399c7ed96d8b7913d194ae25cbfffdd1be0aea67fc9f88b0e2228ba2883ffd4fbeb78a060bb04062cb8fd5f1965b77862004ab8d144b1ed1c615

Download Submit
C:\Windows\System32\drivers\revoflt.sys

Filesize
46KB

MD5
0006295c6c5f7fad92484785b9c8fac6

SHA1
7e50c90a91b92f943e951c1cd8809fe12fc75cc0

SHA256
4ba2879f2b82978110e4b3940ebfeb2ca2399660b0627998c6fea0bf33603b62

SHA512
37f02befaf3b988676af4e556cba142dfef78fd771d4c68f7744e92e789a5c1fd72afe2bb38e297e190f962a6ccf58c161f80bec2a7aacaf024256f25eb7bf03

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

Filesize
24.2MB

MD5
c8c368988a2a4c2a953b7db4bca47961

SHA1
5acc29b51284146a9ff7b1587c3d89416e66acdf

SHA256
f680e0fe00a48f6e3d079c1572682d6664f476b119745d73cb852baba58cc683

SHA512
5fdef1f4e3b471910fe2b12f6f6aa8bfad3f2a9c80954843085c79139823a88e0c7d921b7c01dda56871800afc20de4739682c02e9fa6a94715c64207a671b30

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe

Filesize
175KB

MD5
886796a33ecf9f4a224af23f57d26511

SHA1
43d83d0ca6130cb0666ed3c2137b9fd4eeabeeda

SHA256
0671aaf3da6b3dc70b9c9dc28700061d1bbc3c05b12d6ac106ee108a281b50d1

SHA512
998247a0ca973c81585168ee24035a595c33785bfddbc89fd3b0500402bd0eff7bf8241a2501525b89cadf7e6b0d07e452c3a8a64ceb3117dd8626ee69875527

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

Filesize
9.6MB

MD5
216b49b7eb7be44d7ed7367f3725285f

SHA1
cf0776ecbc163c738fd43767bedcc2a67acef423

SHA256
c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e

SHA512
060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2DE6.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2DE6.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2DE6.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2DE6.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1644-195-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/3048-237-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads