d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e | Triage

Resubmissions

05-07-2021 15:52

210705-ly6krsr2vn 10

05-07-2021 10:06

210705-5sqy7t1av6 10

05-07-2021 07:17

210705-yaxd4f4556 10

Analysis

max time kernel
4s
max time network
40s
platform
windows7_x64
resource
win7v20210408
submitted
05-07-2021 07:17

Sharing

Report Analysis Logs

General

Target

revil.exe
Size

890KB
MD5

561cffbaba71a6e8cc1cdceda990ead4
SHA1

5162f14d75e96edb914d1756349d6e11583db0b0
SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
SHA512

09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1996	MsMpEng.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MsMpEng.exe	revil.exe
File created	C:\Windows\mpsvc.dll	revil.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1996	1208	revil.exe	25
PID 1208 wrote to memory of 1996	1208	revil.exe	25
PID 1208 wrote to memory of 1996	1208	revil.exe	25
PID 1208 wrote to memory of 1996	1208	revil.exe	25

C:\Users\Admin\AppData\Local\Temp\revil.exe
"C:\Users\Admin\AppData\Local\Temp\revil.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\MsMpEng.exe
  "C:\Windows\MsMpEng.exe"
  2⤵
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-63-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1996-64-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download