Loading ...

Play interactive tourEdit tour

Windows Analysis Report revil.exe

Overview

General Information

Sample Name:revil.exe
Analysis ID:443736
MD5:561cffbaba71a6e8cc1cdceda990ead4
SHA1:5162f14d75e96edb914d1756349d6e11583db0b0
SHA256:d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Tags:exerevilSodinokibi
Infos:

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Drops executables to the windows directory (C:\Windows) and starts them
Found Tor onion address
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Executable Used by PlugX in Uncommon Location
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • revil.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\revil.exe' MD5: 561CFFBABA71A6E8CC1CDCEDA990EAD4)
    • MsMpEng.exe (PID: 6972 cmdline: C:\Windows\MsMpEng.exe MD5: 8CC83221870DD07144E63DF594C391D9)
      • netsh.exe (PID: 5964 cmdline: netsh advfirewall firewall set rule group='Network Discovery' new enable=Yes MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • unsecapp.exe (PID: 5948 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"], "sub": "8254", "svc": ["veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"], "wht": {"ext": ["ps1", "ldf", "lock", "theme", "msi", "sys", "wpx", "cpl", "adv", "msc", "scr", "bat", "key", "ico", "dll", "hta", "deskthemepack", "nomedia", "msu", "rtp", "msp", "idx", "ani", "386", "diagcfg", "bin", "mod", "ics", "com", "hlp", "spl", "nls", "cab", "exe", "diagpkg", "icl", "ocx", "rom", "prf", "themepack", "msstyles", "lnk", "icns", "mpa", "drv", "cur", "diagcab", "cmd", "shs"], "fls": ["ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"], "fld": ["program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "boisehosting.net;fotoideaymedia.es;dubnew.com;stallbyggen.se;koken-voor-baby.nl;juneauopioidworkgroup.org;vancouver-print.ca;zewatchers.com;bouquet-de-roses.com;seevilla-dr-sturm.at;olejack.ru;i-trust.dk;wasmachtmeinfonds.at;appsformacpc.com;friendsandbrgrs.com;thenewrejuveme.com;xn--singlebrsen-vergleich-nec.com;sabel-bf.com;seminoc.com;ceres.org.au;cursoporcelanatoliquido.online;marietteaernoudts.nl;tastewilliamsburg.com;charlottepoudroux-photographie.fr;aselbermachen.com;klimt2012.info;accountancywijchen.nl;creamery201.com;rerekatu.com;makeurvoiceheard.com;vannesteconstruct.be;wellplast.se;andersongilmour.co.uk;bradynursery.com;aarvorg.com;facettenreich27.de;balticdermatology.lt;artige.com;highlinesouthasc.com;crowd-patch.co.uk;sofavietxinh.com;jorgobe.at;danskretursystem.dk;higadograsoweb.com;supportsumba.nl;ruralarcoiris.com;projetlyonturin.fr;kidbucketlist.com.au;harpershologram.wordpress.com;ohidesign.com;international-sound-awards.com;krlosdavid.com;durganews.com;leather-factory.co.jp;coding-machine.com;i-arslan.de;caribbeansunpoker.com;mir-na-iznanku.com;ki-lowroermond.nl;promesapuertorico.com;kissit.ca;dezatec.es;cite4me.org;grelot-home.com;musictreehouse.net;hkr-reise.de;id-vet.com;gasolspecialisten.se;vyhino-zhulebino-24.ru;karacaoglu.nl;bayoga.co.uk;solhaug.tk;jadwalbolanet.info;ncid.bc.ca;bricotienda.com;boldcitydowntown.com;homecomingstudio.com;sojamindbody.com;castillobalduz.es;asgestion.com;dushka.ua;hiddencitysecrets.com.au;danubecloud.com;roadwarrior.app;newstap.com.ng;no-plans.com;schoolofpassivewealth.com;senson.fi;denifl-consulting.at;lmtprovisions.com;talentwunder.com;acomprarseguidores.com;myzk.site;theapifactory.com;midmohandyman.com;argos.wityu.fund;dinslips.se;kalkulator-oszczednosci.pl;wurmpower.at;drugdevice.org;foretprivee.ca;nurturingwisdom.com;funjose.org.gt;blgr.be;readberserk.com;lescomtesdemean.be;firstpaymentservices.com;malychanieruchomoscipremium.com;travelffeine.com;latribuessentielle.com;lusak.at;better.town;smessier.com;kafu.ch;ikads.org;id-et-d.fr;sanaia.com;prochain-voyage.net;edrcreditservices.nl;yassir.pro;gantungankunciakrilikbandung.com;moveonnews.com;bhwlawfirm.com;bigbaguettes.eu;edv-live.de;littlebird.salon;iyengaryogacharlotte.com;toponlinecasinosuk.co.uk;zonamovie21.net;caribdoctor.org;body-guards.it;calabasasdigest.com;elimchan.com;herbstfeststaefa.ch;thewellnessmimi.com;corola.es;pomodori-pizzeria.de;controldekk.com;lichencafe.com;lefumetdesdombes.com;seagatesthreecharters.com;copystar.co.uk;systemate.dk;alsace-first.com;webmaster-peloton.com;koko-nora.dk;jakekozmor.com;mousepad-direkt.de;iwelt.de;dirittosanitario.biz;precisionbevel.com;boulderwelt-muenchen-west.de;chatizel-paysage.fr;praxis-foerderdiagnostik.de;globedivers.wordpress.com;nosuchthingasgovernment.com;neuschelectrical.co.za;schmalhorst.de;mediaclan.info;ihr-news.jp;bunburyfreightservices.com.au;edelman.jp;backstreetpub.com;spsshomeworkhelp.com;lillegrandpalais.com;smithmediastrategies.com;enovos.de;loprus.pl;bsaship.com;importardechina.info;shhealthlaw.com;freie-baugutachterpraxis.de;maxadams.london;deprobatehelp.com;baylegacy.com;deltacleta.cat;financescorecard.com;maureenbreezedancetheater.org;plv.media;winrace.no;leoben.at;pawsuppetlovers.com;tuuliautio.fi;paradicepacks.com;1team.es;testcoreprohealthuk.com;broseller.com;iyahayki.nl;lorenacarnero.com;satyayoga.de;notmissingout.com;chavesdoareeiro.com;mezhdu-delom.ru;hugoversichert.de;jusibe.com;imaginado.de;craftleathermnl.com;sauschneider.info;atalent.fi;conexa4papers.trade;global-kids.info;serce.info.pl;agence-referencement-naturel-geneve.net;zimmerei-fl.de;augenta.com;fannmedias.com;villa-marrakesch.de;ulyssemarketing.com;x-ray.ca;schraven.de;bowengroup.com.au;sairaku.net;southeasternacademyofprosthodontics.org;modamilyon.com;pubweb.carnet.hr;alysonhoward.com;sahalstore.com;triactis.com;panelsandwichmadrid.es;xn--vrftet-pua.biz;adoptioperheet.fi;miriamgrimm.de;filmstreamingvfcomplet.be;kostenlose-webcams.com;deoudedorpskernnoordwijk.nl;live-your-life.jp;mardenherefordshire-pc.gov.uk;instatron.net;mirjamholleman.nl;euro-trend.pl;kojima-shihou.com;nuzech.com;basisschooldezonnewijzer.nl;quemargrasa.net;actecfoundation.org;gamesboard.info;podsosnami.ru;extensionmaison.info;retroearthstudio.com;polzine.net;hmsdanmark.dk;linnankellari.fi;schoellhammer.com;elpa.se;mooreslawngarden.com;rozemondcoaching.nl;lenreactiv-shop.ru;uranus.nl;advokathuset.dk;ora-it.de;love30-chanko.com;smartypractice.com;rebeccarisher.com;cafemattmeera.com;bargningavesta.se;www1.proresult.no;rhinosfootballacademy.com;polychromelabs.com;notsilentmd.org;makeflowers.ru;zimmerei-deboer.de;ccpbroadband.com;iwr.nl;wychowanieprzedszkolne.pl;greenpark.ch;bimnapratica.com;lachofikschiet.nl;memaag.com;parking.netgateway.eu;tanzschule-kieber.de;antiaginghealthbenefits.com;simulatebrain.com;digi-talents.com;hairnetty.wordpress.com;samnewbyjax.com;helikoptervluchtnewyork.nl;devlaur.com;cimanchesterescorts.co.uk;houseofplus.com;rushhourappliances.com;pelorus.group;kedak.de;lapmangfpt.info.vn;pivoineetc.fr;marchand-sloboda.com;anybookreader.de;markelbroch.com;celularity.com;rafaut.com;unim.su;latestmodsapks.com;thedresserie.com;bigasgrup.com;slimidealherbal.com;phantastyk.com;thailandholic.com;tophumanservicescourses.com;aakritpatel.com;navyfederalautooverseas.com;wien-mitte.co.at;forestlakeuca.org.au;sporthamper.com;psnacademy.in;michaelsmeriglioracing.com;jbbjw.com;colorofhorses.com;iqbalscientific.com;cleliaekiko.online;stemplusacademy.com;effortlesspromo.com;microcirc.net;mbfagency.com;theduke.de;drinkseed.com;troegs.com;peterstrobos.com;consultaractadenacimiento.com;huissier-creteil.com;geoffreymeuli.com;skanah.com;despedidascostablanca.es;alten-mebel63.ru;theadventureedge.com;profectis.de;mepavex.nl;rimborsobancario.net;pasvenska.se;tampaallen.com;symphonyenvironmental.com;videomarketing.pro;pickanose.com;licor43.de;aniblinova.wordpress.com;ventti.com.ar;hhcourier.com;buymedical.biz;oncarrot.com;nachhilfe-unterricht.com;mapawood.com;vox-surveys.com;milsing.hr;sotsioloogia.ee;nativeformulas.com;kirkepartner.dk;partnertaxi.sk;visiativ-industry.fr;transliminaltribe.wordpress.com;chefdays.de;cursosgratuitosnainternet.com;faronics.com;d2marketing.co.uk;lapinlviasennus.fi;miraclediet.fun;bristolaeroclub.co.uk;jameskibbie.com;songunceliptv.com;baronloan.org;idemblogs.com;eglectonk.online;christinarebuffetcourses.com;bastutunnan.se;blogdecachorros.com;finde-deine-marke.de;platformier.com;antenanavi.com;vanswigchemdesign.com;gporf.fr;pmc-services.de;atmos-show.com;danholzmann.com;itelagen.com;transportesycementoshidalgo.es;gymnasedumanagement.com;siluet-decor.ru;gasbarre.com;milltimber.aberdeen.sch.uk;tinkoff-mobayl.ru;expandet.dk;rumahminangberdaya.com;polymedia.dk;newyou.at;zenderthelender.com;artallnightdc.com;tomaso.gr;centrospgolega.com;sweering.fr;tux-espacios.com;ecopro-kanto.com;spacecitysisters.org;bierensgebakkramen.nl;all-turtles.com;coffreo.biz;tandartspraktijkheesch.nl;vietlawconsultancy.com;deko4you.at;tennisclubetten.nl;extraordinaryoutdoors.com;crowcanyon.com;classycurtainsltd.co.uk;apolomarcas.com;verytycs.com;manijaipur.com;veybachcenter.de;falcou.fr;associationanalytics.com;beautychance.se;pocket-opera.de;christ-michael.net;vdberg-autoimport.nl;4net.guru;finediningweek.pl;stampagrafica.es;naturalrapids.com;ussmontanacommittee.us;beaconhealthsystem.org;upplandsspar.se;tradiematepro.com.au;oneplusresource.org;maasreusel.nl;aodaichandung.com;campus2day.de;burkert-ideenreich.de;you-bysia.com.au;mediaacademy-iraq.org;xtptrack.com;eaglemeetstiger.de;mountaintoptinyhomes.com;stemenstilte.nl;noskierrenteria.com;ivfminiua.com;biapi-coaching.fr;art2gointerieurprojecten.nl;corendonhotels.com;ditog.fr;kadesignandbuild.co.uk;abogadosaccidentetraficosevilla.es;camsadviser.com;limassoldriving.com;worldhealthbasicinfo.com;kojinsaisei.info;schmalhorst.de;bigler-hrconsulting.ch;girlillamarketing.com;xn--rumung-bua.online;naturstein-hotte.de;agence-chocolat-noir.com;stormwall.se;collaborativeclassroom.org;baptisttabernacle.com;streamerzradio1.site;mooglee.com;smart-light.co.uk;fitovitaforum.com;c2e-poitiers.com;igrealestate.com;wari.com.pe;takeflat.com;logopaedie-blomberg.de;mrsplans.net;mooshine.com;humanityplus.org;otsu-bon.com;onlyresultsmarketing.com;interactcenter.org;ungsvenskarna.se;35-40konkatsu.net;zzyjtsgls.com;spectrmash.ru;tenacitytenfold.com;torgbodenbollnas.se;drnice.de;lightair.com;huesges-gruppe.de;promalaga.es;paulisdogshop.de;hotelsolbh.com.br;julis-lsa.de;myteamgenius.com;darnallwellbeing.org.uk;refluxreducer.com;educar.org;kuntokeskusrok.fi;truenyc.co;comparatif-lave-linge.fr;frontierweldingllc.com;autodemontagenijmegen.nl;spylista.com;allfortheloveofyou.com;ilso.net;corona-handles.com;micahkoleoso.de;fairfriends18.de;haremnick.com;ecoledansemulhouse.fr;blewback.com;macabaneaupaysflechois.com;osterberg.fi;surespark.org.uk;stupbratt.no;hokagestore.com;mirkoreisser.de;tomoiyuma.com;tigsltd.com;manifestinglab.com;glennroberts.co.nz;hardinggroup.com;zso-mannheim.de;yousay.site;dublikator.com;oneheartwarriors.at;pointos.com;kenhnoithatgo.com;ausbeverage.com.au;testzandbakmetmening.online;grupocarvalhoerodrigues.com.br;werkkring.nl;hotelzentral.at;vibethink.net;123vrachi.ru;allure-cosmetics.at;mrxermon.de;bloggyboulga.net;bouldercafe-wuppertal.de;sobreholanda.com;smogathon.com;beyondmarcomdotcom.wordpress.com;wraithco.com;bookspeopleplaces.com;montrium.com;webcodingstudio.com;lucidinvestbank.com;ncs-graphic-studio.com;stingraybeach.com;aglend.com.au;lecantou-coworking.com;tongdaifpthaiphong.net;solerluethi-allart.ch;coursio.com;otto-bollmann.de;madinblack.com;vibehouse.rw;bridgeloanslenders.com;erstatningsadvokaterne.dk;resortmtn.com;socstrp.org;pier40forall.org;ostheimer.at;quickyfunds.com;aminaboutique247.com;jobcenterkenya.com;jenniferandersonwriter.com;marcuswhitten.site;mediaplayertest.net;irinaverwer.com;stoeberstuuv.de;lebellevue.fr;the-virtualizer.com;outcomeisincome.com;gonzalezfornes.es;kunze-immobilien.de;myhealth.net.au;helenekowalsky.com;xn--fn-kka.no;withahmed.com;simplyblessedbykeepingitreal.com;havecamerawilltravel2017.wordpress.com;muamuadolls.com;balticdentists.com;mank.de;croftprecision.co.uk;jandaonline.com;datacenters-in-europe.com;gw2guilds.org;raschlosser.de;geekwork.pl;pv-design.de;opatrovanie-ako.sk;ausair.com.au;commonground-stories.com;parebrise-tla.fr;vloeren-nu.nl;conasmanagement.de;dlc.berlin;liveottelut.com;4youbeautysalon.com;lykkeliv.net;adultgamezone.com;hexcreatives.co;citymax-cr.com;portoesdofarrobo.com;patrickfoundation.net;tonelektro.nl;atozdistribution.co.uk;urclan.net;evergreen-fishing.com;body-armour.online;nsec.se;autopfand24.de;syndikat-asphaltfieber.de;yourobgyn.net;vihannesporssi.fi;new.devon.gov.uk;teczowadolina.bytom.pl;antonmack.de;dpo-as-a-service.com;pogypneu.sk;creative-waves.co.uk;htchorst.nl;xn--fnsterputssollentuna-39b.se;norpol-yachting.com;parkstreetauto.net;sloverse.com;candyhouseusa.com;tsklogistik.eu;smejump.co.th;diversiapsicologia.es;unetica.fr;drfoyle.com;cranleighscoutgroup.org;dekkinngay.com;n1-headache.com;amerikansktgodis.se;evangelische-pfarrgemeinde-tuniberg.de;fransespiegels.nl;coastalbridgeadvisors.com;qualitaetstag.de;kath-kirche-gera.de;alhashem.net;schutting-info.nl;2ekeus.nl;berlin-bamboo-bikes.org;minipara.com;blood-sports.net;milestoneshows.com;physiofischer.de;ontrailsandboulevards.com;babcockchurch.org;healthyyworkout.com;plantag.de;krcove-zily.eu;mylolis.com;fax-payday-loans.com;praxis-management-plus.de;smokeysstoves.com;longislandelderlaw.com;calxplus.eu;mountsoul.de;dubscollective.com;luckypatcher-apkz.com;epwritescom.wordpress.com;fundaciongregal.org;klusbeter.nl;jobmap.at;oldschoolfun.net;abl1.net;labobit.it;romeguidedvisit.com;carrybrands.nl;people-biz.com;blossombeyond50.com;theclubms.com;whittier5k.com;jolly-events.com;kisplanning.com.au;rostoncastings.co.uk;ravensnesthomegoods.com;nhadatcanho247.com;vetapharma.fr;hihaho.com;tulsawaterheaterinstallation.com;purposeadvisorsolutions.com;faizanullah.com;directwindowco.com;herbayupro.com;pay4essays.net;work2live.de;stoneys.ch;webhostingsrbija.rs;lange.host;baustb.de;psa-sec.de;hushavefritid.dk;lloydconstruction.com;ra-staudte.de;mbxvii.com;tecnojobsnet.com;starsarecircular.org;twohourswithlena.wordpress.com;stoeferlehalle.de;merzi.info;garage-lecompte-rouen.fr;hypozentrum.com;nestor-swiss.ch;thomasvicino.com;kmbshipping.co.uk;denovofoodsgroup.com;planchaavapor.net;dr-pipi.de;qlog.de;lynsayshepherd.co.uk;aco-media.nl;abogadoengijon.es;bestbet.com;liliesandbeauties.org;norovirus-ratgeber.de;thee.network;stacyloeb.com;bundabergeyeclinic.com.au;sandd.nl;americafirstcommittee.org;milanonotai.it;kevinjodea.com;easytrans.com.au;westdeptfordbuyrite.com;carriagehousesalonvt.com;operaslovakia.sk;corelifenutrition.com;hashkasolutindo.com;compliancesolutionsstrategies.com;edgewoodestates.org;mastertechengineering.com;pinkexcel.com;cnoia.org;aprepol.com;rieed.de;katketytaanet.fi;lascuola.nl;assurancesalextrespaille.fr;paymybill.guru;xoabigail.com;ligiercenter-sachsen.de;answerstest.ru;airconditioning-waalwijk.nl;pixelarttees.com;freie-gewerkschaften.de;dnepr-beskid.com.ua;eco-southafrica.com;dutchcoder.nl;iphoneszervizbudapest.hu;allentownpapershow.com;bingonearme.org;summitmarketingstrategies.com;completeweddingkansas.com;wolf-glas-und-kunst.de;employeesurveys.com;scenepublique.net;monark.com;seitzdruck.com;alvinschwartz.wordpress.com;knowledgemuseumbd.com;spd-ehningen.de;boosthybrid.com.au;launchhubl.com;revezlimage.com;dontpassthepepper.com;petnest.ir;associacioesportivapolitg.cat;12starhd.online;jerling.de;kaotikkustomz.com;sarbatkhalsafoundation.org;solinegraphic.com;skiltogprint.no;craigmccabe.fun;puertamatic.es;mylovelybluesky.com;run4study.com;pierrehale.com;cactusthebrand.com;101gowrie.com;nicoleaeschbachorg.wordpress.com;architekturbuero-wagner.net;mindpackstudios.com;vitavia.lt;bouncingbonanza.com;lukeshepley.wordpress.com;igfap.com;bockamp.com;levihotelspa.fi;exenberger.at;tinyagency.com;familypark40.com;alfa-stroy72.com;boompinoy.com;mdacares.com;architecturalfiberglass.org;slupetzky.at;sinal.org;qualitus.com;deepsouthclothingcompany.com;groupe-frayssinet.fr;synlab.lt;kamienny-dywan24.pl;ilcdover.com;humancondition.com;insigniapmg.com;arteservicefabbro.com;team-montage.dk;iviaggisonciliegie.it;austinlchurch.com;rehabilitationcentersinhouston.net;zervicethai.co.th;vickiegrayimages.com;ziegler-praezisionsteile.de;crediacces.com;comarenterprises.com;courteney-cox.net;trapiantofue.it;space.ua;odiclinic.org;noesis.tech;urmasiimariiuniri.ro;8449nohate.org;xltyu.com;kikedeoliveira.com;remcakram.com;degroenetunnel.com;strandcampingdoonbeg.com;haar-spange.com;pmcimpact.com;ceid.info.tr;gemeentehetkompas.nl;stopilhan.com;dareckleyministries.com;sportverein-tambach.de;ivivo.es;braffinjurylawfirm.com;pcprofessor.com;bordercollie-nim.nl;hrabritelefon.hr;ctrler.cn;makeitcount.at;foryourhealth.live;seproc.hn;ianaswanson.com;nijaplay.com;brandl-blumen.de;lubetkinmediacompanies.com;ouryoungminds.wordpress.com;micro-automation.de;apprendrelaudit.com;securityfmm.com;geisterradler.de;morawe-krueger.de;nmiec.com;sla-paris.com;figura.team;vitalyscenter.es;jvanvlietdichter.nl;crosspointefellowship.church;handi-jack-llc.com;femxarxa.cat;wsoil.com.sg;xlarge.at;groupe-cets.com;admos-gleitlager.de;liikelataamo.fi;sevenadvertising.com;nancy-informatique.fr;ateliergamila.com;stefanpasch.me;wacochamber.com;aurum-juweliere.de;hatech.io;centuryrs.com;ilive.lt;fensterbau-ziegler.de;zflas.com;thefixhut.com;goodgirlrecovery.com;botanicinnovations.com;saxtec.com;tips.technology;smalltownideamill.wordpress.com;pt-arnold.de;tarotdeseidel.com;bildungsunderlebnis.haus;brevitempore.net;imadarchid.com;sportiomsportfondsen.nl;digivod.de;darrenkeslerministries.com;smhydro.com.pl;echtveilig.nl;schlafsack-test.net;galserwis.pl;eraorastudio.com;faroairporttransfers.net;connectedace.com;pcp-nc.com;jyzdesign.com;suncrestcabinets.ca;offroadbeasts.com;teresianmedia.org;greenfieldoptimaldentalcare.com;thomas-hospital.de;embracinghiscall.com;ralister.co.uk;rosavalamedahr.com;quizzingbee.com;richard-felix.co.uk;sipstroysochi.ru;todocaracoles.com;shiftinspiration.com;campusoutreach.org;bodyforwife.com;katiekerr.co.uk;sportsmassoren.com;trystana.com;ino-professional.ru;slashdb.com;selfoutlet.com;personalenhancementcenter.com;proudground.org;walkingdeadnj.com;d1franchise.com;anthonystreetrimming.com;forskolorna.org;brawnmediany.com;uimaan.fi;journeybacktolife.com;pferdebiester.de;kao.at;asteriag.com;hvccfloorcare.com;parks-nuernberg.de;div-vertriebsforschung.de;centromarysalud.com;asiluxury.com;chrissieperry.com;verbisonline.com;onlybacklink.com;radaradvies.nl;daklesa.de;sagadc.com;waveneyrivercentre.co.uk;mytechnoway.com;fitnessbazaar.com;fibrofolliculoma.info;fayrecreations.com;maryloutaylor.com;whyinterestingly.ru;maratonaclubedeportugal.com;maineemploymentlawyerblog.com;kosterra.com;blumenhof-wegleitner.at;punchbaby.com;wmiadmin.com;bxdf.info;harveybp.com;vermoote.de;johnsonfamilyfarmblog.wordpress.com;plastidip.com.ar;autofolierung-lu.de;highimpactoutdoors.net;cwsitservices.co.uk;hairstylesnow.site;mymoneyforex.com;victoriousfestival.co.uk;farhaani.com;web.ion.ag;simoneblum.de;carolinepenn.com;blacksirius.de;trackyourconstruction.com;naturavetal.hr;heliomotion.com;rollingrockcolumbia.com;judithjansen.com;poultrypartners.nl;mirjamholleman.nl;baumkuchenexpo.jp;insidegarage.pl;irishmachineryauctions.com;intecwi.com;porno-gringo.com;penco.ie;jacquin-maquettes.com;anteniti.com;hebkft.hu;ftlc.es;dutchbrewingcoffee.com;behavioralmedicinespecialists.com;socialonemedia.com;cirugiauretra.es;c-a.co.in;nokesvilledentistry.com;chandlerpd.com;aunexis.ch;gmto.fr;berliner-versicherungsvergleich.de;jsfg.com;vesinhnha.com.vn;joyeriaorindia.com;greenko.pl;cerebralforce.net;rota-installations.co.uk;presseclub-magdeburg.de;yamalevents.com;renergysolution.com;roygolden.com;verifort-capital.de;delawarecorporatelaw.com;jiloc.com;icpcnj.org;1kbk.com.ua;noixdecocom.fr;entopic.com;hellohope.com;flexicloud.hk;danielblum.info;thaysa.com;mdk-mediadesign.de;nataschawessels.com;smale-opticiens.nl;charlesreger.com;kaliber.co.jp;almosthomedogrescue.dog;reddysbakery.com;waynela.com;ahouseforlease.com;binder-buerotechnik.at;happyeasterimages.org;dr-tremel-rednitzhembach.de;mikeramirezcpa.com;zweerscreatives.nl;dramagickcom.wordpress.com;commercialboatbuilding.com;argenblogs.com.ar;heurigen-bauer.at;ogdenvision.com;gadgetedges.com;izzi360.com;turkcaparbariatrics.com;spargel-kochen.de;pridoxmaterieel.nl;heidelbergartstudio.gallery;ftf.or.at;kaminscy.com;filmvideoweb.com;meusharklinithome.wordpress.com;xn--thucmctc-13a1357egba.com;tstaffing.nl;abogadosadomicilio.es;igorbarbosa.com;homesdollar.com;ncuccr.org;caffeinternet.it;abogados-en-alicante.es;evologic-technologies.com;oslomf.no;desert-trails.com;gastsicht.de;nvwoodwerks.com;slwgs.org;vorotauu.ru;lionware.de;bodyfulls.com;myhostcloud.com;amylendscrestview.com;bptdmaluku.com;bogdanpeptine.ro;perbudget.com;strategicstatements.com;simpliza.com;innote.fi;365questions.org;sanyue119.com;walter-lemm.de;cuppacap.com;teknoz.net;layrshift.eu;blog.solutionsarchitect.guru;parkcf.nl;themadbotter.com;upmrkt.co;modelmaking.nl;nandistribution.nl;ledmes.ru;coding-marking.com;sachnendoc.com;thedad.com;mercantedifiori.com;artotelamsterdam.com;plotlinecreative.com;bauertree.com;woodleyacademy.org;dw-css.de;leda-ukraine.com.ua;destinationclients.fr;jasonbaileystudio.com;cheminpsy.fr;devstyle.org;kindersitze-vergleich.de;live-con-arte.de;bee4win.com;fiscalsort.com;jeanlouissibomana.com;huehnerauge-entfernen.de;eadsmurraypugh.com;fotoscondron.com;DupontSellsHomes.com;brigitte-erler.com;imperfectstore.com;shonacox.com;nacktfalter.de;devok.info;esope-formation.fr;mariposapropaneaz.com;sw1m.ru;mrtour.site;hannah-fink.de;bafuncs.org;kampotpepper.gives;ampisolabergeggi.it;cuspdental.com;philippedebroca.com;abitur-undwieweiter.de;hoteledenpadova.it;tanciu.com;delchacay.com.ar;cortec-neuro.com;theshungiteexperience.com.au;deschl.net;biortaggivaldelsa.com;fitnessingbyjessica.com;dsl-ip.de;officehymy.com;shadebarandgrillorlando.com;bargningharnosand.se;mmgdouai.fr;daniel-akermann-architektur-und-planung.ch;xn--logopdie-leverkusen-kwb.de;buroludo.nl;ymca-cw.org.uk;executiveairllc.com;allamatberedare.se;servicegsm.net;kingfamily.construction;nakupunafoundation.org;henricekupper.com;shsthepapercut.com;lbcframingelectrical.com;ladelirante.fr;clos-galant.com;dr-seleznev.com;siliconbeach-realestate.com;tanzprojekt.com;fatfreezingmachines.com;kamahouse.net;gratispresent.se;softsproductkey.com;marathonerpaolo.com;gopackapp.com;manutouchmassage.com;marketingsulweb.com;craigvalentineacademy.com;catholicmusicfest.com;gaiam.nl;woodworkersolution.com;pasivect.co.uk;cyntox.com;advizewealth.com;y-archive.com;saarland-thermen-resort.com;fizzl.ru;oemands.dk;mrsfieldskc.com;levdittliv.se;rksbusiness.com;sexandfessenjoon.wordpress.com;first-2-aid-u.com;simpkinsedwards.co.uk;the-domain-trader.com;rocketccw.com;celeclub.org;urist-bogatyr.ru;lapinvihreat.fi;ecpmedia.vn;zieglerbrothers.de;piajeppesen.dk;joseconstela.com;carlosja.com;real-estate-experts.com;toreria.es;analiticapublica.es;kariokids.com;leeuwardenstudentcity.nl;psc.de;tetinfo.in;ai-spt.jp;homng.net;em-gmbh.ch;trulynolen.co.uk;oceanastudios.com;csgospeltips.se;luxurytv.jp;abuelos.com;birnam-wood.com;theletter.company;bbsmobler.se;restaurantesszimmer.de;insp.bi;besttechie.com;autodujos.lt;chaotrang.com;galleryartfair.com;321play.com.hk;saka.gr;tandartspraktijkhartjegroningen.nl;steampluscarpetandfloors.com;waermetauscher-berechnen.de;sterlingessay.com;justinvieira.com;waywithwords.net;shiresresidential.com;naswrrg.org;spinheal.ru;slimani.net;modestmanagement.com;triggi.de;cityorchardhtx.com;narcert.com", "dbg": false, "pid": "$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwAtAF0AIABXAGgAYQB0AHMAIABIAGEAcABQAGUAbgA/ACAAWwAtAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBjAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwBvAGQAZQByAC4AcgBlAC8AewBVAEkARAB9AA0ACgANAAoAVwBhAHIAbgBpAG4AZwA6ACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlACAAYwBhAG4AIABiAGUAIABiAGwAbwBjAGsAZQBkACwAIAB0AGgAYQB0AHMAIAB3AGgAeQAgAGYAaQByAHMAdAAgAHYAYQByAGkAYQBuAHQAIABtAHUAYwBoACAAYgBlAHQAdABlAHIAIABhAG4AZAAgAG0AbwByAGUAIABhAHYAYQBpAGwAYQBiAGwAZQAuAA0ACgANAAoAVwBoAGUAbgAgAHkAbwB1ACAAbwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAsACAAcAB1AHQAIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAZABhAHQAYQAgAGkAbgAgAHQAaABlACAAaQBuAHAAdQB0ACAAZgBvAHIAbQA6AA0ACgBLAGUAeQA6AA0ACgANAAoADQAKAHsASwBFAFkAfQANAAoADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOACcAVAAgAHQAcgB5ACAAdABvACAAYwBoAGEAbgBnAGUAIABmAGkAbABlAHMAIABiAHkAIAB5AG8AdQByAHMAZQBsAGYALAAgAEQATwBOACcAVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGEAZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "9/AgyLvWEviWbvuayR2k0Q140e9LZJ5hwrmto/zCyFM=", "net": false, "exp": false, "arn": false}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
revil.exeAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
  • 0x176ba:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
  • 0x176b7:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
  • 0x176bd:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
  • 0x17679:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
  • 0x17f0d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
  • 0x17f15:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
  • 0x17f0b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\mpsvc.dllAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
  • 0x52a:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
  • 0x527:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
  • 0x52d:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
  • 0x4e9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
  • 0xd7d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
  • 0xd85:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
  • 0xd7b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.917270010.0000000000F60000.00000040.00000001.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x5cab:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0xad3f:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xb32b:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0xa564:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0xad2e:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
00000001.00000002.917636237.00000000029A0000.00000040.00000001.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x61af:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0xb243:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xb82f:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0xaa68:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0xb232:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
00000001.00000003.649759193.00000000033F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000001.00000003.650121407.00000000033F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000001.00000003.649936181.00000000033F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.revil.exe.17a790.1.raw.unpackAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
        • 0x52a:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
        • 0x527:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
        • 0x52d:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
        • 0x4e9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
        • 0xd7d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
        • 0xd85:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
        • 0xd7b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC
        1.2.MsMpEng.exe.6d4c0000.3.unpackAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
        • 0x52a:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
        • 0x527:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
        • 0x52d:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
        0.2.revil.exe.1750c0.2.raw.unpackAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
        • 0x5bfa:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
        • 0x5bf7:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
        • 0x5bfd:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
        • 0x5bb9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
        • 0x644d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
        • 0x6455:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
        • 0x644b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC
        0.0.revil.exe.1750c0.2.raw.unpackAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
        • 0x5bfa:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
        • 0x5bf7:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
        • 0x5bfd:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
        • 0x5bb9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
        • 0x644d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
        • 0x6455:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
        • 0x644b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC
        0.0.revil.exe.17a790.1.raw.unpackAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
        • 0x52a:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
        • 0x527:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
        • 0x52d:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
        • 0x4e9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
        • 0xd7d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
        • 0xd85:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
        • 0xd7b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC
        Click to see the 2 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Executable Used by PlugX in Uncommon LocationShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\MsMpEng.exe, CommandLine: C:\Windows\MsMpEng.exe, CommandLine|base64offset|contains: , Image: C:\Windows\MsMpEng.exe, NewProcessName: C:\Windows\MsMpEng.exe, OriginalFileName: C:\Windows\MsMpEng.exe, ParentCommandLine: 'C:\Users\user\Desktop\revil.exe' , ParentImage: C:\Users\user\Desktop\revil.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Windows\MsMpEng.exe, ProcessId: 6972

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: MsMpEng.exe.6972.1.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"], "sub": "8254", "svc": ["veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"], "wht": {"ext": ["ps1", "ldf", "lock", "theme", "msi", "sys", "wpx", "cpl", "adv", "msc", "scr", "bat", "key", "ico", "dll", "hta", "deskthemepack", "nomedia", "msu", "rtp", "msp", "idx", "ani", "386", "diagcfg", "bin", "mod", "ics", "com", "hlp", "spl", "nls", "cab", "exe", "diagpkg", "icl", "ocx", "rom", "prf", "themepack", "msstyles", "lnk", "icns", "mpa", "drv", "cur", "diagcab", "cmd", "shs"], "fls": ["ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"], "fld": ["program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "boisehosting.net;fotoideaymedia.es;dubnew.com;stallbyggen.se;koken-voor-baby.nl;juneauopioidworkgroup.org;vancouver-print.ca;zewatchers.com;bouquet-de-roses.com;seevilla-dr-sturm.at;olejack.ru;i-trust.dk;wasmachtmeinfonds.at;appsformacpc.com;friendsandbrgrs.com;thenewrejuveme.com;xn--singlebrsen-vergleich-nec.com;sabel-bf.com;seminoc.com;ceres.org.au;cursoporcelanatoliquido.online;marietteaernoudts.nl;tastewilliamsburg.com;charlottepoudroux-photographie.fr;aselbermachen.com;klimt2012.info;accountancywijchen.nl;creamery201.com;rerekatu.com;makeurvoiceheard.com;vannesteconstruct.be;wellplast.se;andersongilmour.co.uk;bradynursery.com;aarvorg.com;facettenreich27.de;balticdermatology.lt;artige.com;highlinesouthasc.com;crowd-patch.co.uk;sofavietxinh.com;jorgobe.at;danskretursystem.dk;higadograsoweb.com;supportsumba.nl;ruralarcoiris.com;projetlyonturin.fr;kidbucketlist.com.au;harpershologram.wordpress.com;ohidesign.com;international-sound-awards.com;krlosdavid.com;durganews.com;leather-factory.co.jp;coding-machine.com;i-arslan.de;caribbeansunpoker.com;mir-na-iznanku.com;ki-lowroermond.nl;promesapuertorico.com;kissit.ca;dezatec.es;cite4me.org;grelot-home.com;musictreehouse.net;hkr-reise.de;id-vet.com;gasolspecialisten.se;vyhino-zhulebino-24.ru;karacaoglu.nl;bayoga.co.uk;solhaug.tk;jadwalbolanet.info;ncid.bc.ca;bricotienda.com;boldcitydowntown.com;homecomingstudio.com;sojamindbody.com;castillobalduz.es;asgestion.com;dushka.ua;hiddencityse
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Windows\mpsvc.dllMetadefender: Detection: 14%Perma Link
        Source: C:\Windows\mpsvc.dllReversingLabs: Detection: 30%
        Multi AV Scanner detection for submitted fileShow sources
        Source: revil.exeVirustotal: Detection: 47%Perma Link
        Source: revil.exeMetadefender: Detection: 14%Perma Link
        Source: revil.exeReversingLabs: Detection: 15%
        Source: 0.0.revil.exe.160000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen5
        Source: 0.2.revil.exe.160000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen5
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A5B96 CryptAcquireContextW,CryptGenRandom,1_2_029A5B96
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A6491 CryptStringToBinaryW,CryptStringToBinaryW,1_2_029A6491
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A64F2 CryptBinaryToStringW,CryptBinaryToStringW,1_2_029A64F2
        Source: revil.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Windows\MsMpEng.exeDirectory created: c:\program files\tmpJump to behavior
        Source: C:\Windows\MsMpEng.exeDirectory created: c:\program files\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: C:\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\program files\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\program files (x86)\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\recovery\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\program files (x86)\microsoft sql server\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\program files (x86)\microsoft sql server\110\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\desktop\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\documents\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\downloads\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\favorites\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\links\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\music\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\pictures\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\saved games\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\default\videos\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\3d objects\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\contacts\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\downloads\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\favorites\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\links\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\microsoftedgebackups\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\music\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\onedrive\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\pictures\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\recent\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\saved games\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\searches\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\videos\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\accountpictures\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\desktop\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\documents\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\downloads\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\libraries\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\music\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\pictures\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\public\videos\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\program files (x86)\microsoft sql server\110\shared\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\akjimdeqmb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\atjbemhssb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\bufzsqpcoh\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\bwdrweeari\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\bwetzdqdib\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\evcmenbqhp\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\gnlqnholwb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\hygztmobzn\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\izmfbfkmeb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\kbiftjwhnz\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\whzagpppla\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\desktop\zuyydjdfvf\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\atjbemhssb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\aztrjhkcvr\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\bufzsqpcoh\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\bwdrweeari\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\bwetzdqdib\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\byimnpjcrl\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\evcmenbqhp\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\gnlqnholwb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\izmfbfkmeb\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\kbiftjwhnz\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\whzagpppla\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\documents\zuyydjdfvf\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\favorites\links\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\microsoftedgebackups\backups\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\pictures\camera roll\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\microsoftedgebackups\backups\microsoftedgebackup20200930\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\microsoftedgebackups\backups\microsoftedgebackup20200930\datastorebackup\z4ra2w5g-readme.txtJump to behavior
        Source: C:\Windows\MsMpEng.exeFile created: c:\users\user\microsoftedgebackups\backups\microsoftedgebackup20200930\protected - it is a violation of windows policy to modify\z4ra2w5g-readme.txtJump to behavior
        Source: revil.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: MsMpEng.pdb source: revil.exe
        Source: C:\Windows\MsMpEng.exeFile opened: z:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: x:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: v:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: t:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: r:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: p:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: n:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: l:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: j:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: h:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: f:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: d:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: b:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: y:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: w:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: u:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: s:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: q:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: o:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: m:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: k:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: i:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: g:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: e:Jump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeFile opened: c:Jump to behavior
        Source: C:\Windows\MsMpEng.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\revil.exeCode function: 0_2_0016529F FindFirstFileExW,0_2_0016529F
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A8122 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,1_2_029A8122

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: MsMpEng.exe, 00000001.00000003.650047553.000000000337C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: MsMpEng.exe, 00000001.00000002.918179147.000000000337C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3C6DAF927BB6748F
        Source: z4ra2w5g-readme.txt46.1.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3C6DAF927BB6748F
        Source: MsMpEng.exe, 00000001.00000003.650047553.000000000337C000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: MsMpEng.exe, 00000001.00000002.918179147.000000000337C000.00000004.00000040.sdmp, z4ra2w5g-readme.txt46.1.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3C6DAF927BB6748F
        Source: revil.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: revil.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: revil.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: MsMpEng.exe, 00000001.00000003.650047553.000000000337C000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/
        Source: MsMpEng.exe, 00000001.00000002.918179147.000000000337C000.00000004.00000040.sdmp, z4ra2w5g-readme.txt46.1.drString found in binary or memory: http://decoder.re/3C6DAF927BB6748F
        Source: revil.exeString found in binary or memory: http://ocsp.comodoca.com0
        Source: revil.exeString found in binary or memory: http://ocsp.sectigo.com0
        Source: revil.exeString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: revil.exeString found in binary or memory: https://sectigo.com/CPS0
        Source: MsMpEng.exe, 00000001.00000003.650047553.000000000337C000.00000004.00000040.sdmp, z4ra2w5g-readme.txt46.1.drString found in binary or memory: https://torproject.org/
        Source: revil.exe, 00000000.00000002.650225215.00000000012DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\z4ra2w5g-readme.txtDropped file: ---=== Welcome. Again. ===---[-] Whats HapPen? [-]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension z4ra2w5g.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3C6DAF927BB6748F2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/3C6DAF927BB6748FWarning: secondary website can be blocked, thats why first variant much beJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000001.00000003.649759193.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.650121407.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.649936181.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.649851083.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.649708286.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.650242625.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.650215316.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.823910328.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.649804113.00000000033F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MsMpEng.exe PID: 6972, type: MEMORY
        Contains functionalty to change the wallpaperShow sources
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A4EFA GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,1_2_029A4EFA
        Modifies existing user documents (likely ransomware behavior)Show sources
        Source: C:\Windows\MsMpEng.exeFile moved: C:\Users\user\Desktop\IZMFBFKMEB\GNLQNHOLWB.xlsxJump to behavior
        Source: C:\Windows\MsMpEng.exeFile deleted: C:\Users\user\Desktop\IZMFBFKMEB\GNLQNHOLWB.xlsxJump to behavior
        Source: C:\Windows\MsMpEng.exeFile moved: C:\Users\user\Desktop\IZMFBFKMEB\IZMFBFKMEB.docxJump to behavior
        Source: C:\Windows\MsMpEng.exeFile deleted: C:\Users\user\Desktop\IZMFBFKMEB\IZMFBFKMEB.docxJump to behavior
        Source: C:\Windows\MsMpEng.exeFile moved: C:\Users\user\Desktop\ERWQDBYZVW.pngJump to behavior

        System Summary:

        barindex
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A5C85 NtShutdownSystem,ExitWindowsEx,1_2_029A5C85
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A5DA9 DeleteService,1_2_029A5DA9
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A5C85 NtShutdownSystem,ExitWindowsEx,1_2_029A5C85
        Source: C:\Users\user\Desktop\revil.exeFile created: C:\Windows\mpsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\revil.exeCode function: 0_2_0016B16D0_2_0016B16D
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D52034C1_2_6D52034C
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C75001_2_6D4C7500
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D52B5031_2_6D52B503
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C4DE01_2_6D4C4DE0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4E14401_2_6D4E1440
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D6C001_2_6D4D6C00
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4CBCC01_2_6D4CBCC0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4EDCE01_2_6D4EDCE0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C4FF01_2_6D4C4FF0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D56401_2_6D4D5640
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D3E501_2_6D4D3E50
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D52F66E1_2_6D52F66E
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C46201_2_6D4C4620
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C86301_2_6D4C8630
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D5301521_2_6D530152
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D29E01_2_6D4D29E0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4EE9B01_2_6D4EE9B0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4E18101_2_6D4E1810
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C80301_2_6D4C8030
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D5308FA1_2_6D5308FA
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D2B601_2_6D4D2B60
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4CD3001_2_6D4CD300
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D73101_2_6D4D7310
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4C8B301_2_6D4C8B30
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D52FBE01_2_6D52FBE0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D4D5A601_2_6D4D5A60
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D5292F01_2_6D5292F0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_6D531AB01_2_6D531AB0
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029AC41F1_2_029AC41F
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A92521_2_029A9252
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029AB78A1_2_029AB78A
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A8FF41_2_029A8FF4
        Source: C:\Windows\MsMpEng.exeCode function: 1_2_029A97751_2_029A9775
        Source: Joe Sandbox ViewDropped File: C:\Windows\MsMpEng.exe 33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A