Overview

overview

10

Static

static

revil.exe

windows7_x64

8

revil.exe

windows10_x64

10

Resubmissions

09-07-2021 18:43

210709-xh8gzcvt82 10

03-07-2021 05:47

210703-97x2n2g7ps 10

Analysis

  • max time kernel
    144s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-07-2021 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    revil.exe

  • Size

    890KB

  • MD5

    561cffbaba71a6e8cc1cdceda990ead4

  • SHA1

    5162f14d75e96edb914d1756349d6e11583db0b0

  • SHA256

    d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

  • SHA512

    09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\csruj-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension csruj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66060A2A6152521E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/66060A2A6152521E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dJbLfiWYv76q/DPGpzpR2pm796WiMb5iya06dL9Wdpgpm4t1Vr8e/jWP2pVc52fq SrvCHsSU1Pj4/inZ6vHU/ThO9F3liQlNcbdfG3N4+L7jQ4yQP6jSXzaZwJOWupCZ CLOIZ5dTgk3pUO08tHP1iHtmIH9mbHqiH1kFoZTLNvslJib0Ar1Xnf8rmtVB5hjN 9o0dvOx4RFslmI5eqJ3P8Pgizz4i+dEX0y4Edl14P/y/EFhW9V/BUwtIJZ/ov2+4 Ms77cqVZwVFVGcUPXARqyw9FJh68g1sv2lD38d1cxIs9/ARJOD9RtoUd02kqsEvz UmiXs7yknjhqAgZ+oCK93gFKiEr6DJiLekLpF+XFT0SoF6g1xIVcNNsqVd/NP9EJ KL46oCaLxhRr4phgPFgy/qtncxK88Q4xrteC+xb8VKEEuTYHmFuthMGlt9dzGfmU 2WCE5+X3Xjh21OVOMMdLcVjH3SpVZAVy2WIdk3P8sxh198i5xoQtNu0sC7jGhf2L C+uhsFSFh5E5oLs4uvR1pQ+ycCh2KHWlqHBMgl/i4SHf2lsPvsJZFD+I7JcDU+BO pVD9gXGdiwAJr/k07R2L6c3c5XA7mWJVUMiLYhLdpsEb0EodDe6V+hbUW2lsd5MB qN7A/OKTCtIz+1bWJXA4kbbaiA+7nn7XSJO83RMHAoqcCoXAZMF8yNpBYlgiNlIZ BVi436uZCe0+N03O5TL1ia2AAB0pg276O2Tb4dEl4AVgq1oUz8kOnCLFpTtdatFQ 2bKgnI6ogDW2j64JI+VKx1lg/BZlLHr5SkJecBHlcz0C394B8djclLtmSrv8PaVh ueefCORclBfirxbDOdpoVI4yRPqd8mLgK+NQFt8PmdR3axLRXQmKtytT9yVV1Rid LN9AxLqEGdvWQljMhrrT0YnsUUZvp1bN3NoDQaZDsGtvvT+ePhTJ06wKNtnq/Buk h10HzaP5fw+cqLw613iMqMDvEZweSefgAOzWBN9pIg0nYNe37LzcGhVq0g+umuRk qN8+yVZYdGg7BN9pNUFld6MzG9Dp4zeuzKiOClYjIhQkLsflMqTXGeLQZcY5nO3V 5eWcsJPLjKQf972KJ1qC5Jutqx6r7kHr3bvOUj2ysvbdbuNJ9zsuA9cErWph5PmR agMv3Tjqqc7IvAM+0XUbTrcnPMvpqBky0+Qev7KCzkHoXwjRaVUSD73aBG/qF0nd GEqOxL9KRIyH4QUR/iZhBr+tx9CZtM7S5CpbebU7KjBvHx5GvYo2uFIFVDXFoX0R 20G+wg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66060A2A6152521E

http://decoder.re/66060A2A6152521E

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\revil.exe
    "C:\Users\Admin\AppData\Local\Temp\revil.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\MsMpEng.exe
      "C:\Windows\MsMpEng.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
          PID:4272
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:4048
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\MsMpEng.exe
        MD5

        8cc83221870dd07144e63df594c391d9

        SHA1

        3d409b39b8502fcd23335a878f2cbdaf6d721995

        SHA256

        33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

        SHA512

        e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

        Download Submit

      • C:\Windows\MsMpEng.exe
        MD5

        8cc83221870dd07144e63df594c391d9

        SHA1

        3d409b39b8502fcd23335a878f2cbdaf6d721995

        SHA256

        33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

        SHA512

        e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

        Download Submit

      • C:\Windows\mpsvc.dll
        MD5

        a47cf00aedf769d60d58bfe00c0b5421

        SHA1

        656c4d285ea518d90c1b669b79af475db31e30b1

        SHA256

        8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

        SHA512

        4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

        Download Submit

      • memory/4272-119-0x0000000000000000-mapping.dmp

        Download

      • memory/4832-114-0x0000000000000000-mapping.dmp

        Download

      • memory/4832-118-0x0000000002D90000-0x0000000002DB2000-memory.dmp

        Filesize

        136KB

        Download