d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Resubmissions

09-07-2021 18:43

03-07-2021 05:47

Target

revil.exe
Size

890KB
MD5

561cffbaba71a6e8cc1cdceda990ead4
SHA1

5162f14d75e96edb914d1756349d6e11583db0b0
SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
SHA512

09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

MsMpEng.exe

pid process

1072 MsMpEng.exe
Drops file in Windows directory 2 IoCs

Processes:

revil.exe

description ioc process

File created C:\Windows\mpsvc.dll revil.exe
File created C:\Windows\MsMpEng.exe revil.exe

pid	process
1072	MsMpEng.exe

description	ioc	process
File created	C:\Windows\mpsvc.dll	revil.exe
File created	C:\Windows\MsMpEng.exe	revil.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

revil.exe

description	pid	process	target process
PID 640 wrote to memory of 1072	640	revil.exe	MsMpEng.exe
PID 640 wrote to memory of 1072	640	revil.exe	MsMpEng.exe
PID 640 wrote to memory of 1072	640	revil.exe	MsMpEng.exe
PID 640 wrote to memory of 1072	640	revil.exe	MsMpEng.exe

C:\Windows\MsMpEng.exe
"C:\Windows\MsMpEng.exe"
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\MsMpEng.exe
MD5
8cc83221870dd07144e63df594c391d9

SHA1
3d409b39b8502fcd23335a878f2cbdaf6d721995

SHA256
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

SHA512
e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

Download Submit
C:\Windows\mpsvc.dll
MD5
a47cf00aedf769d60d58bfe00c0b5421

SHA1
656c4d285ea518d90c1b669b79af475db31e30b1

SHA256
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

SHA512
4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

Download Submit
memory/1072-59-0x0000000000000000-mapping.dmp

Download
memory/1072-62-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1072-63-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download