revil.exe

General
Target

revil.exe

Filesize

890KB

Completed

03-07-2021 05:49

Score
10/10
MD5

561cffbaba71a6e8cc1cdceda990ead4

SHA1

5162f14d75e96edb914d1756349d6e11583db0b0

SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Malware Config

Extracted

Path C:\csruj-readme.txt
Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension csruj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66060A2A6152521E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/66060A2A6152521E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dJbLfiWYv76q/DPGpzpR2pm796WiMb5iya06dL9Wdpgpm4t1Vr8e/jWP2pVc52fq SrvCHsSU1Pj4/inZ6vHU/ThO9F3liQlNcbdfG3N4+L7jQ4yQP6jSXzaZwJOWupCZ CLOIZ5dTgk3pUO08tHP1iHtmIH9mbHqiH1kFoZTLNvslJib0Ar1Xnf8rmtVB5hjN 9o0dvOx4RFslmI5eqJ3P8Pgizz4i+dEX0y4Edl14P/y/EFhW9V/BUwtIJZ/ov2+4 Ms77cqVZwVFVGcUPXARqyw9FJh68g1sv2lD38d1cxIs9/ARJOD9RtoUd02kqsEvz UmiXs7yknjhqAgZ+oCK93gFKiEr6DJiLekLpF+XFT0SoF6g1xIVcNNsqVd/NP9EJ KL46oCaLxhRr4phgPFgy/qtncxK88Q4xrteC+xb8VKEEuTYHmFuthMGlt9dzGfmU 2WCE5+X3Xjh21OVOMMdLcVjH3SpVZAVy2WIdk3P8sxh198i5xoQtNu0sC7jGhf2L C+uhsFSFh5E5oLs4uvR1pQ+ycCh2KHWlqHBMgl/i4SHf2lsPvsJZFD+I7JcDU+BO pVD9gXGdiwAJr/k07R2L6c3c5XA7mWJVUMiLYhLdpsEb0EodDe6V+hbUW2lsd5MB qN7A/OKTCtIz+1bWJXA4kbbaiA+7nn7XSJO83RMHAoqcCoXAZMF8yNpBYlgiNlIZ BVi436uZCe0+N03O5TL1ia2AAB0pg276O2Tb4dEl4AVgq1oUz8kOnCLFpTtdatFQ 2bKgnI6ogDW2j64JI+VKx1lg/BZlLHr5SkJecBHlcz0C394B8djclLtmSrv8PaVh ueefCORclBfirxbDOdpoVI4yRPqd8mLgK+NQFt8PmdR3axLRXQmKtytT9yVV1Rid LN9AxLqEGdvWQljMhrrT0YnsUUZvp1bN3NoDQaZDsGtvvT+ePhTJ06wKNtnq/Buk h10HzaP5fw+cqLw613iMqMDvEZweSefgAOzWBN9pIg0nYNe37LzcGhVq0g+umuRk qN8+yVZYdGg7BN9pNUFld6MzG9Dp4zeuzKiOClYjIhQkLsflMqTXGeLQZcY5nO3V 5eWcsJPLjKQf972KJ1qC5Jutqx6r7kHr3bvOUj2ysvbdbuNJ9zsuA9cErWph5PmR agMv3Tjqqc7IvAM+0XUbTrcnPMvpqBky0+Qev7KCzkHoXwjRaVUSD73aBG/qF0nd GEqOxL9KRIyH4QUR/iZhBr+tx9CZtM7S5CpbebU7KjBvHx5GvYo2uFIFVDXFoX0R 20G+wg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66060A2A6152521E

http://decoder.re/66060A2A6152521E

Signatures 11

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Executes dropped EXE
    MsMpEng.exe

    Reported IOCs

    pidprocess
    4832MsMpEng.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files
    MsMpEng.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\MoveOpen.raw => \??\c:\users\admin\pictures\MoveOpen.raw.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\ResetCompress.png => \??\c:\users\admin\pictures\ResetCompress.png.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\JoinPush.crw => \??\c:\users\admin\pictures\JoinPush.crw.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\DisableRegister.tif => \??\c:\users\admin\pictures\DisableRegister.tif.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\DismountFind.png => \??\c:\users\admin\pictures\DismountFind.png.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\EnterCopy.crw => \??\c:\users\admin\pictures\EnterCopy.crw.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\HideGrant.raw => \??\c:\users\admin\pictures\HideGrant.raw.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\LimitPing.png => \??\c:\users\admin\pictures\LimitPing.png.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\ResizeWrite.raw => \??\c:\users\admin\pictures\ResizeWrite.raw.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\UseOut.tif => \??\c:\users\admin\pictures\UseOut.tif.csrujMsMpEng.exe
    File renamedC:\Users\Admin\Pictures\CheckpointClear.png => \??\c:\users\admin\pictures\CheckpointClear.png.csrujMsMpEng.exe
  • Enumerates connected drives
    MsMpEng.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\A:MsMpEng.exe
    File opened (read-only)\??\B:MsMpEng.exe
    File opened (read-only)\??\T:MsMpEng.exe
    File opened (read-only)\??\U:MsMpEng.exe
    File opened (read-only)\??\W:MsMpEng.exe
    File opened (read-only)\??\X:MsMpEng.exe
    File opened (read-only)\??\F:MsMpEng.exe
    File opened (read-only)\??\J:MsMpEng.exe
    File opened (read-only)\??\P:MsMpEng.exe
    File opened (read-only)\??\R:MsMpEng.exe
    File opened (read-only)\??\S:MsMpEng.exe
    File opened (read-only)\??\V:MsMpEng.exe
    File opened (read-only)\??\D:MsMpEng.exe
    File opened (read-only)\??\E:MsMpEng.exe
    File opened (read-only)\??\G:MsMpEng.exe
    File opened (read-only)\??\I:MsMpEng.exe
    File opened (read-only)\??\K:MsMpEng.exe
    File opened (read-only)\??\L:MsMpEng.exe
    File opened (read-only)\??\N:MsMpEng.exe
    File opened (read-only)\??\Q:MsMpEng.exe
    File opened (read-only)\??\Y:MsMpEng.exe
    File opened (read-only)\??\Z:MsMpEng.exe
    File opened (read-only)\??\H:MsMpEng.exe
    File opened (read-only)\??\M:MsMpEng.exe
    File opened (read-only)\??\O:MsMpEng.exe
  • Sets desktop wallpaper using registry
    MsMpEng.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ne5645p90n.bmp"MsMpEng.exe
  • Drops file in Program Files directory
    MsMpEng.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\program files\SelectUninstall.dibMsMpEng.exe
    File opened for modification\??\c:\program files\CloseDisable.pcxMsMpEng.exe
    File opened for modification\??\c:\program files\EnterAssert.htmMsMpEng.exe
    File opened for modification\??\c:\program files\HideSync.m1vMsMpEng.exe
    File opened for modification\??\c:\program files\InvokeRead.rtfMsMpEng.exe
    File opened for modification\??\c:\program files\MergeTest.jtxMsMpEng.exe
    File opened for modification\??\c:\program files\PopEnable.wmaMsMpEng.exe
    File opened for modification\??\c:\program files\RestoreRemove.vstxMsMpEng.exe
    File opened for modification\??\c:\program files\ShowGrant.kixMsMpEng.exe
    File opened for modification\??\c:\program files\UninstallStart.tiffMsMpEng.exe
    File opened for modification\??\c:\program files\RedoUnprotect.clrMsMpEng.exe
    File opened for modification\??\c:\program files\RemoveOpen.tempMsMpEng.exe
    File opened for modification\??\c:\program files\SendAdd.rtfMsMpEng.exe
    File opened for modification\??\c:\program files\SendProtect.pubMsMpEng.exe
    File opened for modification\??\c:\program files\StopCompress.mhtMsMpEng.exe
    File opened for modification\??\c:\program files\UninstallEdit.potmMsMpEng.exe
    File created\??\c:\program files\tmpMsMpEng.exe
    File created\??\c:\program files (x86)\tmpMsMpEng.exe
    File opened for modification\??\c:\program files\ConvertFromUndo.pptxMsMpEng.exe
    File opened for modification\??\c:\program files\ResolveAdd.wmaMsMpEng.exe
    File opened for modification\??\c:\program files\SubmitJoin.aiffMsMpEng.exe
    File opened for modification\??\c:\program files\UnregisterSave.mp2MsMpEng.exe
    File created\??\c:\program files\csruj-readme.txtMsMpEng.exe
    File created\??\c:\program files (x86)\csruj-readme.txtMsMpEng.exe
    File opened for modification\??\c:\program files\OptimizeGroup.mpgMsMpEng.exe
  • Drops file in Windows directory
    revil.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\MsMpEng.exerevil.exe
    File createdC:\Windows\mpsvc.dllrevil.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    MsMpEng.exe

    Reported IOCs

    pidprocess
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
    4832MsMpEng.exe
  • Suspicious use of AdjustPrivilegeToken
    MsMpEng.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4832MsMpEng.exe
    Token: SeTakeOwnershipPrivilege4832MsMpEng.exe
    Token: SeBackupPrivilege576vssvc.exe
    Token: SeRestorePrivilege576vssvc.exe
    Token: SeAuditPrivilege576vssvc.exe
  • Suspicious use of WriteProcessMemory
    revil.exeMsMpEng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4648 wrote to memory of 48324648revil.exeMsMpEng.exe
    PID 4648 wrote to memory of 48324648revil.exeMsMpEng.exe
    PID 4648 wrote to memory of 48324648revil.exeMsMpEng.exe
    PID 4832 wrote to memory of 42724832MsMpEng.exenetsh.exe
    PID 4832 wrote to memory of 42724832MsMpEng.exenetsh.exe
    PID 4832 wrote to memory of 42724832MsMpEng.exenetsh.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\revil.exe
    "C:\Users\Admin\AppData\Local\Temp\revil.exe"
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\MsMpEng.exe
      "C:\Windows\MsMpEng.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Enumerates connected drives
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        PID:4272
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:4048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:576
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Windows\MsMpEng.exe

                    MD5

                    8cc83221870dd07144e63df594c391d9

                    SHA1

                    3d409b39b8502fcd23335a878f2cbdaf6d721995

                    SHA256

                    33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

                    SHA512

                    e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

                  • C:\Windows\MsMpEng.exe

                    MD5

                    8cc83221870dd07144e63df594c391d9

                    SHA1

                    3d409b39b8502fcd23335a878f2cbdaf6d721995

                    SHA256

                    33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

                    SHA512

                    e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

                  • C:\Windows\mpsvc.dll

                    MD5

                    a47cf00aedf769d60d58bfe00c0b5421

                    SHA1

                    656c4d285ea518d90c1b669b79af475db31e30b1

                    SHA256

                    8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

                    SHA512

                    4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

                  • memory/4272-119-0x0000000000000000-mapping.dmp

                  • memory/4832-114-0x0000000000000000-mapping.dmp

                  • memory/4832-118-0x0000000002D90000-0x0000000002DB2000-memory.dmp