revil.exe

General
Target

revil.exe

Filesize

890KB

Completed

03-07-2021 05:50

Score
8/10
MD5

561cffbaba71a6e8cc1cdceda990ead4

SHA1

5162f14d75e96edb914d1756349d6e11583db0b0

SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Malware Config
Signatures 3

Filter: none

  • Executes dropped EXE
    MsMpEng.exe

    Reported IOCs

    pidprocess
    1072MsMpEng.exe
  • Drops file in Windows directory
    revil.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\mpsvc.dllrevil.exe
    File createdC:\Windows\MsMpEng.exerevil.exe
  • Suspicious use of WriteProcessMemory
    revil.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 640 wrote to memory of 1072640revil.exeMsMpEng.exe
    PID 640 wrote to memory of 1072640revil.exeMsMpEng.exe
    PID 640 wrote to memory of 1072640revil.exeMsMpEng.exe
    PID 640 wrote to memory of 1072640revil.exeMsMpEng.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\revil.exe
    "C:\Users\Admin\AppData\Local\Temp\revil.exe"
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\MsMpEng.exe
      "C:\Windows\MsMpEng.exe"
      Executes dropped EXE
      PID:1072
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Windows\MsMpEng.exe

                            MD5

                            8cc83221870dd07144e63df594c391d9

                            SHA1

                            3d409b39b8502fcd23335a878f2cbdaf6d721995

                            SHA256

                            33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

                            SHA512

                            e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

                          • C:\Windows\mpsvc.dll

                            MD5

                            a47cf00aedf769d60d58bfe00c0b5421

                            SHA1

                            656c4d285ea518d90c1b669b79af475db31e30b1

                            SHA256

                            8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

                            SHA512

                            4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

                          • memory/1072-59-0x0000000000000000-mapping.dmp

                          • memory/1072-62-0x0000000074F31000-0x0000000074F33000-memory.dmp

                          • memory/1072-63-0x00000000001D0000-0x00000000001F2000-memory.dmp