Overview

overview

10

Static

static

10

revil-fixed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    revil-fixed.exe

  • Size

    126KB

  • MD5

    329b8aaea517a511908683b56446db99

  • SHA1

    9abe20a9c460a3e530cb96658541c6d25700a529

  • SHA256

    c09c691d40d8b935de4b60c92e1d4fc85f409fb546fd4a5e5b5483ae150fbf20

  • SHA512

    172d290abe8fef35e8bea43319dc68092c61389257c73e94fcde68f67f97022c1bbda1fe50cd35775bda6e2473af1bad0e5cdb2ff7060e8365bbbe4765a3b3fa

  • SSDEEP

    1536:oxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:oMhQNDEtb3A2ZHjUyWr4X5FTDUA

Score
10/10
defense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Recovery\5dab155w-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5dab155w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE7FC9C553EC8DD6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/EE7FC9C553EC8DD6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iP78IyYl3/hFk6pSz8FMarwCNkY4pmuQAfAPPeX56Q5xoPd9S7grU1NynDxDn5KJ k+Tw1slLdnOVXdR94naNT1WUOMBeJkiCoXwAE69LfzJtxfBBOg06EFPgDvMucbq/ OtJmL1m4V5AfEQDHiMAIBZ2dcx0dDDbnls4KOoMxXPtJgj8FJpRffpp1FHLGugS4 YUAmYYk4H4sUy+7HjO6ooapRd7Z2AkxHaZuieJFn0lEMv4Dz6po9BMYXznaxx1ua EVPqU6UCluDX9blDbHjCDmmK/XCoASZ6q1sjr4LqQa6W4Z47xyAy8dhcZslzBHdJ Slt2hsJ9limGHGgcV4QA5bPKdt6u37vAvbKoWzkjp1rxTG5ub16IK0dXOa9kB14F xA5W1rPZczmUSTMKUsJu9Ely9jsC8f5+U4GMzY+m0QNNuR3ZOJiYj7YqE4yorqEi wbnGdyI0fI3t51+0jkyheQwKWOiKzC2CIn3np5ASCXW41HIsDqlwIi/r6/twlc1O bc2zVG+T/t3lRA34rFfmsM8sQbPxAA4YUKt6F8AWoK2F0mGuC4PYBHo9OdGaUi0C JbSVOvP+FYyi8sX18EJLJjuL2rdkYqkZg4kNDTSQqhdv3qkkSkxg/lAU0Cx0Ca1J VrJLcu2hfgJifjq2yPT0TfQNuE1wWCV77FNxtLVbcJa8+QKU17q04mD8dgdjWyga O60DdwsNEadEKj3FQEwYIsZTnjVHbcz+9ppedffJAxJ+BM1OaAExX/0gpN2tPdc4 vM4cZ13wQ+PMcg4GnuXjdy3Vvk6PaJZNrGABfFs/lpY3Y7QgM3715j1RdiH4slCw hzd9kKmO2lSG/OXN1f/vK9EjGHuvcVxdgcxiOLFUyL3ceC5VUJKsH+9/vJtoAs49 2VOE1zo5mP8fAKo4EUIP5xuQv04XMT/G5fDnQe4AUTUK/3E2ck+uJZVNkT+ilT7I zy/cH37mlJGzY062xrTMfJi0ROtvTLNaz4KEQinE8kidkhRW19C4qzHFWmdrQmuv xBTnixvUKpFMnks1dZ/o24zAT/ui2259o7Aq9Q6FB7NiFRt6xs2wzeEb5mYA55LF ctUbZqP2DLrxsI/gG53NpeHfiKV3S3oSYGQU4VMNFJB/cyaoaoXj1v+iItzvnCHM aTkh91upr1iRVjKZd1GCQk7VL9wYUmyD+OFdn+ON9ycFT6FzZMuTTKe0Gg+vP9nM yBLpErlOL2fQBfJw7QDzcIsPeABzVHjyCHrWjxH+dcKb850xtTGnMN7+5hTJ/SHc RkA0iqF9MAo3oBuPjJtzeidRkJOaDHRWJ1W4MvCqyoJW5Cj7+qdT6EE4lbFoWKnI 8mbEvtb2BbAR97c7f/b+Mo9+wOANSJ65CgtZeOb09G8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE7FC9C553EC8DD6

http://decoder.re/EE7FC9C553EC8DD6

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe
    "C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4716
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4732
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:6132
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:6124
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe"
      1⤵
      • Runs regedit.exe
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\5dab155w-readme.txt
      Filesize

      6KB

      MD5

      acaeb773fbd598dcd870e6540b1d4245

      SHA1

      c1eac26e4cd496c77837dd6970a07abc549dc8ef

      SHA256

      bca9350cead68aa81f97ddea97bfd491f04662393764195a45bce0b6337b4137

      SHA512

      e82d7810e52e54c57225e18e8bbc402538b6d096f6428abbe5203368f27eee58652aa785344cfee05e943afe5d6707f07f005fa19aff0c8cdecb85671e0af041

      Download Submit