d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e | Triage

Resubmissions

09-07-2021 18:43

210709-xh8gzcvt82 10

03-07-2021 05:47

210703-97x2n2g7ps 10

Analysis

max time kernel
2s
max time network
38s
platform
windows7_x64
resource
win7v20210410
submitted
03-07-2021 05:47

Sharing

Report Analysis Logs

General

Target

revil.exe
Size

890KB
MD5

561cffbaba71a6e8cc1cdceda990ead4
SHA1

5162f14d75e96edb914d1756349d6e11583db0b0
SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
SHA512

09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1072	MsMpEng.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mpsvc.dll	revil.exe
File created	C:\Windows\MsMpEng.exe	revil.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1072	640	revil.exe	25
PID 640 wrote to memory of 1072	640	revil.exe	25
PID 640 wrote to memory of 1072	640	revil.exe	25
PID 640 wrote to memory of 1072	640	revil.exe	25

C:\Users\Admin\AppData\Local\Temp\revil.exe
"C:\Users\Admin\AppData\Local\Temp\revil.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\MsMpEng.exe
  "C:\Windows\MsMpEng.exe"
  2⤵
  - Executes dropped EXE
  PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-62-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1072-63-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download