99780d1dd0432e633b8782c99932d5ad079e06b94f430ce0fcc9e8de420ee746

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe
Size

17.9MB
MD5

3241a65212bb067c6c6e819e868d5791
SHA1

7812f4c17ad4ae0782c38bf4aa43b19c5f806f26
SHA256

99780d1dd0432e633b8782c99932d5ad079e06b94f430ce0fcc9e8de420ee746
SHA512

e58d0a7407ea1bdc11b5fdeb53a07c691c01ef9944b071294fd28b36de0c67f9a135a2e8fe4a54d86ba28122fc48d2bea12c101183d505a6b5a88dad3855099a
SSDEEP

393216:ak/VC6t0vOKtIca6AhP9av6hPWeO9MrnhlPpPXnhssoAn:N/t+Q5XmOKSHp/nhsyn

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETBAF3.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SETBAF3.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\revoflt.sys	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.tmp

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
4508	RevoUninProSetup.exe
2748	RevoUninProSetup.tmp
2100	ruplp.exe
4740	RevoUninPro.exe
680	License.exe

Loads dropped DLL 1 IoCs

pid	Process
4864	regsvr32.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DTI2E.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FKFOH.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P5A28.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2QR0E.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-98D5H.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-V7KF3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CALC0.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LQB5U.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FIR20.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-IR1QK.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-U1LF6.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CE507.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LCM0F.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HL3BG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QNG3A.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-P0HAG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-B5LP8.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ILS7J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-CNIOO.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4PMBJ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4PF8I.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BQ81J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3Q2O4.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-V472J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JPNTB.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ALLNU.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-6OQM3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4QO2K.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-5NR7Q.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MGVKC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-74671.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-NPBN3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-3PB57.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.msg	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q4UKI.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-JFCGR.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-800AL.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8OE70.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-61OEI.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-UJVPC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SMQ6F.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GEUPQ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6O95J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8PC3L.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2B7KB.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PCGNF.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2H5VN.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CUG9V.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L392I.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5GVIL.tmp	RevoUninProSetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11DBF.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BU725.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MPT3L.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HUG17.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SPL6N.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QHADS.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HJAKG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AQN1S.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3CCB8.tmp	RevoUninProSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	License.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4232	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL\AppID = "{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\""	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0	ruplp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\RevoUninstallerPro.ruel\DefaultIcon	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\RevoUninstallerPro.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel"	RevoUninProSetup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	RevoUninProSetup.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4740	RevoUninPro.exe
4740	RevoUninPro.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4508	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	90
PID 2796 wrote to memory of 4508	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	90
PID 2796 wrote to memory of 4508	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	90
PID 4508 wrote to memory of 2748	4508	RevoUninProSetup.exe	92
PID 4508 wrote to memory of 2748	4508	RevoUninProSetup.exe	92
PID 4508 wrote to memory of 2748	4508	RevoUninProSetup.exe	92
PID 2748 wrote to memory of 4232	2748	RevoUninProSetup.tmp	93
PID 2748 wrote to memory of 4232	2748	RevoUninProSetup.tmp	93
PID 2748 wrote to memory of 4232	2748	RevoUninProSetup.tmp	93
PID 2748 wrote to memory of 4864	2748	RevoUninProSetup.tmp	99
PID 2748 wrote to memory of 4864	2748	RevoUninProSetup.tmp	99
PID 2748 wrote to memory of 3744	2748	RevoUninProSetup.tmp	100
PID 2748 wrote to memory of 3744	2748	RevoUninProSetup.tmp	100
PID 3744 wrote to memory of 780	3744	rundll32.exe	101
PID 3744 wrote to memory of 780	3744	rundll32.exe	101
PID 3764 wrote to memory of 2808	3764	cmd.exe	104
PID 3764 wrote to memory of 2808	3764	cmd.exe	104
PID 780 wrote to memory of 4440	780	runonce.exe	106
PID 780 wrote to memory of 4440	780	runonce.exe	106
PID 2748 wrote to memory of 2100	2748	RevoUninProSetup.tmp	107
PID 2748 wrote to memory of 2100	2748	RevoUninProSetup.tmp	107
PID 2748 wrote to memory of 2100	2748	RevoUninProSetup.tmp	107
PID 2748 wrote to memory of 4740	2748	RevoUninProSetup.tmp	109
PID 2748 wrote to memory of 4740	2748	RevoUninProSetup.tmp	109
PID 2796 wrote to memory of 680	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	112
PID 2796 wrote to memory of 680	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	112
PID 2796 wrote to memory of 680	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	112
PID 2796 wrote to memory of 1240	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	113
PID 2796 wrote to memory of 1240	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	113
PID 2796 wrote to memory of 1240	2796	2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe	113

C:\Users\Admin\AppData\Local\Temp\2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_3241a65212bb067c6c6e819e868d5791_black-basta_hawkeye_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RevoUninProSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RevoUninProSetup.exe" /silent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\is-5O424.tmp\RevoUninProSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5O424.tmp\RevoUninProSetup.tmp" /SL5="$602C6,17134221,196608,C:\Users\Admin\AppData\Local\Temp\RarSFX0\RevoUninProSetup.exe" /silent
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4232
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Modifies registry class
      PID:4864
  - - C:\Windows\system32\rundll32.exe
      "rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:4440
  - - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
      "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2100
  - - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
      "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4740
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:680
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Software\VS Revo Group\Revo Uninstaller Pro\General" /v "RegUN" /t REG_SZ /d "Cumiche" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grpconv -o
1⤵
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\system32\grpconv.exe
  grpconv -o
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

Filesize
187KB

MD5
8b9964e06195fd375d126b424e236f03

SHA1
6f1741cfeb9fb70c34857dbba3e063c88c3c32fa

SHA256
bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f

SHA512
741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

Filesize
24.1MB

MD5
e5cbe37d1e7bc23c4cc473291f07a41a

SHA1
b13b079deb116b7ca0e76dae235668b0cb48346c

SHA256
3c305231c6c9469d99e18efeedb15aece1b98b7b7d3da2bdde626b36cd9b4118

SHA512
15c03644a5f1268ad5c64574f8831aebb6c445d38d4abb2d2abd33ba9ebe71f29f16d09bf292eb1ceb4307b8a0fefe9618bad0dc56ef92c7ee04af0afef3c608

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini

Filesize
122KB

MD5
60184157c8e45f4715bdb31b8bd687ff

SHA1
9219c2e72ed248e48fb8413d908aea38c62c11d9

SHA256
3ab682690fe4e7adb498e594d06f8093f003573b0ff4c8eaaa74ba1e2f8a21a5

SHA512
73bb0dfb0eec5f6b91b4bab6524fff6ad598b3e91bd3cabbf0d27d186956be10b1bc0a15d4f989ad8ed806926311670014a7c6a317a64c2fdd82848adb0048e7

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

Filesize
2KB

MD5
edc78deb34de240c787b1011161e9a4e

SHA1
2d31275530dce33d3bc329991c8ad59e1b303577

SHA256
69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

SHA512
e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

Filesize
9.6MB

MD5
216b49b7eb7be44d7ed7367f3725285f

SHA1
cf0776ecbc163c738fd43767bedcc2a67acef423

SHA256
c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e

SHA512
060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb

Download Submit
C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro5.lic

Filesize
64KB

MD5
8462a9b69c76a9603a4143d51fbc201e

SHA1
4473590f93f94f22c340a354516191c3c0ba6532

SHA256
fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8

SHA512
2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe

Filesize
534KB

MD5
e0de118335dee8e37f7ed1230b560d8f

SHA1
3517f83306095873de23bb01ee958d56b34886dd

SHA256
79ee72bdb556bf7ac32302c438b5958dc5bc5bfc9a12a0ec823317377c6cd644

SHA512
0e8858c62fd2d8974475292fbe1d0e5617a1ba3c4f0325eb5d15b18b8702ff491481e3d4c19af96b5a8e3274311a42fd96f471e263be8debbe696af4cc8cdac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RevoUninProSetup.exe

Filesize
16.9MB

MD5
c02e72a632d4818ded4e710f94bd4051

SHA1
b3daaae3b78f6b06eb81a467e2b0373c93dffb9d

SHA256
4ebf20180c177a01de8ab4894005949900a9dc67877dc44ed029fcfe1c67860b

SHA512
be2d4186fc09b43288e0fa56418be75b0c8e9d1fb47a14116f9876d1d533ea1bb66a7fe067a3d089d77700b7a6c763027ee2ba291ca53887718663ca70ee6533

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5O424.tmp\RevoUninProSetup.tmp

Filesize
1.2MB

MD5
6c3251c1345c9187f9e2eaf6a5661d98

SHA1
36553b8fe5f08072e843197a09fa0a859063bce9

SHA256
4567388157595a9db586a2b361b42b1fddb16d924d0ead97c464ab051bc7f04d

SHA512
8d63505aaea1a99ba4f0e02a3a63be9031d33efe127b388d98f82443735ac589718ab46e489524b380f2582498b74e1d21a49766e3dac0190d643e15a83b0c28

Download Submit
C:\Windows\System32\drivers\revoflt.sys

Filesize
37KB

MD5
ec8e58e6b58b4fcde77431cda3a24c0e

SHA1
ebb474009b2a2fbce648adff4b8b797fcd00c997

SHA256
25667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd

SHA512
e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4

Download Submit
memory/2100-168-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/2748-22-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2748-176-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2748-180-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4508-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4508-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4508-18-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4508-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads