Overview

overview

10

Static

static

10

revil-fixed.exe

windows7-x64

10

revil-fixed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    revil-fixed.exe

  • Size

    126KB

  • MD5

    329b8aaea517a511908683b56446db99

  • SHA1

    9abe20a9c460a3e530cb96658541c6d25700a529

  • SHA256

    c09c691d40d8b935de4b60c92e1d4fc85f409fb546fd4a5e5b5483ae150fbf20

  • SHA512

    172d290abe8fef35e8bea43319dc68092c61389257c73e94fcde68f67f97022c1bbda1fe50cd35775bda6e2473af1bad0e5cdb2ff7060e8365bbbe4765a3b3fa

  • SSDEEP

    1536:oxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:oMhQNDEtb3A2ZHjUyWr4X5FTDUA

Score
10/10
defense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\6n1v62pf-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6n1v62pf. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E0896972506E9A97 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/E0896972506E9A97 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PwtVeVR8xcNPaJQ4609Megqy+5FQ7YyMzpzvJM5G5t23aEYsn9tGy9Et80vAd9X2 tzZT88S6wEagVI5WU3Wq9VsRY86PfpIRcvW0eWr6E1VWi+6q8rXOcnxreHPD1seE ybcaZLogsbgMVoAWoQyUm9yxhYRFZ1200Fheh33uwf+xs9UJ4xOSgR/HcgU5HxrF 7aJmXgMFJN7tAybtoQtfxtKNul3+yET1NLBDwK19VsoP/X+p05fk48vcNsZaxcVO wrF026jPVBHlGDT6MDdx5OBIJZQpdxY4x+acQrzfB36Y85GCuptcYshqTDB8AQV5 Pt8N4a/Y6aA7sPu4FAiVWcFi9bjwOIDolRsXlpAO1xLq0Mayb3IxbgZx/Xy62Qk+ f4gTwpKWqLzBFJVetYpai9HPvXfC17ngBRpRH42NOxZwQ1EMR95r7049cS4LHD// 1uYpZy2xnoCK1yfH6uLJ9txkAsk8mWJrHeIzjGfVvFddS95aDXvPXprM8it+ee/y G2mDiEB07hmo3+5CmRtkjXVXvagGE8WBci2k1+mUPjvHBkCFQ8FCDBTP6Ua/PrHU eefGhKlOWXJhn+t/ytzBoWdDo4EazvzUt2L2FLNCh09tQR9VpTB03Uj0eEXmwyWC ULFKbJYYsbbln/Fr2hjm/EtycddwdJuWq03GJw64LXn31J1CdufiqM5MSYoMUIXy Bj/h0B8wJbwtyXa72g+4O3NSgiXmOGb8YxOvJei/+GOJGYP65lrZ8me5PsMnlAuX MggxsKrgZEejooBiTuN2p9geUidKdUseToeJ/YqIjksD1lXC5nVoNMNCgbKmmqfi V8pMW+n3fJ54cExF2hpqi3QNizNkBw5st962miUsnqqDS1oZ+mBjYO7b8nMMBsp3 A14x33kcEZS6Glc/kAG+hLJ8X4a/g1zbzZkcXElhD4mmbyWTpt4wsBw1903zzrSq IoGEFeu0Y3QGLZItl+mAoBd5U/VGB6QlCJXcfsgYzC+bIQf7MdeOjc20dXVgdkwp 8ykGZ8ZMrKH8StCbm6kGsgSbidgu3wBtOP+2IRU3BKRtpIVtDMfJVqegLx+CsJ7K n2psfR8qHxtzL/QB3AuAW7kgVifXIFqyeS8BAzNx/TDhQ4SW1rpBZwLeMjrcmlzS 73kHarCivwVtLCnQO3pjgXIgo0kPj7qQWggTEImsUyAYPVeu+kO36CWCVQH6uIua 5TBINB9UwX9GgoGkzG0nXqoI/oI8gYuHygXGihisNc8NwDE2McRueJOKKzOW1ITs NHuycVff2rrd4ntrGen0rHgr5zGy4ElfmOcTcI+D88jyARDDSdKYwEDqP1Sdxmd8 Ppgm7hhL3mkeCFCcQ60m2Fqa4RoQZdqjoOM= ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E0896972506E9A97

http://decoder.re/E0896972506E9A97

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe
    "C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1508
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:448
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:768
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\6n1v62pf-readme.txt
      Filesize

      6KB

      MD5

      bd06348e27f1c19da113b4ecb4ae9959

      SHA1

      f6ebfdf421c1958092fb3b048f75e5f785f3f917

      SHA256

      3d537794a92eb8e9914de9d21df6416ddb4a51f4f344e488ce91e3d20aea6b68

      SHA512

      77eda592f105e93c7dfb87bb4f09225ffb03bdb4dda593fa045672818465b59ff4a0a08e10b6a54fa2f88f4e33a01962b5065d4aeb459febc7366b062f53e76e

      Download Submit