Overview

overview

10

Static

static

10

revil-fixed.exe

windows7-x64

10

revil-fixed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    revil-fixed.exe

  • Size

    126KB

  • MD5

    329b8aaea517a511908683b56446db99

  • SHA1

    9abe20a9c460a3e530cb96658541c6d25700a529

  • SHA256

    c09c691d40d8b935de4b60c92e1d4fc85f409fb546fd4a5e5b5483ae150fbf20

  • SHA512

    172d290abe8fef35e8bea43319dc68092c61389257c73e94fcde68f67f97022c1bbda1fe50cd35775bda6e2473af1bad0e5cdb2ff7060e8365bbbe4765a3b3fa

  • SSDEEP

    1536:oxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:oMhQNDEtb3A2ZHjUyWr4X5FTDUA

Score
10/10
defense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\956w42-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 956w42. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB777F1C95764FDB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FB777F1C95764FDB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dq3nxfFR5Axnsp7qVHuA3Ij7dk/GczYNFF1wrwyqEpQ8sO5YQCyB69VChcNvIMzl JgNZVYDTfVehsPMMP4EwMClkXwBN+x9zlryuFvjPUWjHvzXrBfrv2bcNm28jatdh UubJelg36PcJofPsuFvOg69bxULPrWQfMTWkxjW9aljxr22dPdRIsIVntdNngdz7 eSZza9l6HMaCEEBnRmgpQUgPRkqbIcvluzMTy092MWTZDcCSNev3cK/Kzvns3hGP 0sp3iIyzqdChwfi7R+SXuC7T7EJ2CEJHxzkXyOPkFIIqzecWVD+ykCFfoVV7qre1 xEadW85iTmfiHgX73XmQdb+BRc3fu6pXBlvpsZ2iAfUiV4eS39KYktIAF9HAv4Pe n8GUUc/7SmCfNxxQgvH0hNbExo3sm7QMv+xDmXe83ArkjfyWzYjJv0yJSwiwU8Jd qsgqwInf2Ee7zBF7Cz4MFGMpqfBtduEY7QLB7EdCgCbo68qFtRG7C90NwypV34iH 59acLEE+9SmcOSctt/yc3zQxT0D4z6IXOGrTulPI6kOD/YtBjzdqrnOr2F/miPqy 5qWIZNAEQYZ5K5TIKCHfDiDCHX/vA5S3/LbLQFuRGiE0+MKSqMT2BM9f17Es/JjN yeOhNsih1fVUXyVAzh0w6NxowbUN2WdI0uKvG0+0otYcvmmH4PohemFYNLx+YV/Q fgkaPB5nT9l35xfA+BDAI5BZTNR62oBTZwEPM3No3pInZIt1Wh2drKVp91azoXv/ or5GEckx6uslUMLPXyKKcEwAykoCAlsq1B/7E8by0g0pyLfdcKHSlGNK3wg4jaKW Rtx6r/VB79Qu41yQDnmkgtVsIZLq53c/XAQTDLjckQCeiOyfV35ibxBoyHph+VFo rOV8CT6OYwmzJPKNCwOYPKOSpBF2lyLUlmcgojDUACUZdN8H4TSlLjN6ur7RZWnA wkldqumZKcUv/6ElolH15NPJCSy2cVdqy3rUCzc3SgZvat9eoKmcQcCXGKlxvBmp 9jQ+m1k7waFHOm41KWteBejrepefCbDIPp/WBM/5hytDw36u9hRd3Z4eqt4+KtpC L5SEJV9rcCcABLbukFuqdtdUb8DlorZ3qGZrfpOB/+h9m3gEkitAXZo1hk7z3Hup 1fOVCPoASl/KwUKQ3ynQcTbj+zcfup/Op6CGZIixoGA6XyklZO+YKJ3yKrlk/4K/ JAvryt1FaRp3+XfMLOEl2PURIc4QGuJzaDFD33TJb7eX8d8YUL0oNMd1iyNkAVfr OBxcjsXr8JBJ9QjzGKcRbUCSQIiA6Yt279YKGRWo+DLoJ1HC5GINyEjGMkPFmDsm +IsYCDP2jkPgO4oRLkAicOmqxB7f4qxV74FTqA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB777F1C95764FDB

http://decoder.re/FB777F1C95764FDB

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe
    "C:\Users\Admin\AppData\Local\Temp\revil-fixed.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1372
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4208
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\956w42-readme.txt
      Filesize

      6KB

      MD5

      53e2e2e19116dbba8e07da7b3c418179

      SHA1

      8d4a6bff392b42e57b6228b6d0a41ad2b2639b0a

      SHA256

      1e6482872d94cb5b9f1061f3b8565a8be68df6dd2e859ba26ba1e0acb4688361

      SHA512

      98b0686c07dfa8f262215bee68d7d05cac73abf74a26db58eaa04ce0efbf9f34fca409625817d990e306930fa4f833727088c895d17d40f95667b255a41f3eca

      Download Submit