Petya/NotPetya/ExPetr | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-06-30 17:01 (UTC+2) |
| VM Analysis Duration Time | 00:04:05 |
| Execution Successful |
|
| Sample Filename | Petya.dll |
| Command Line Parameters | #1 |
| Prescript |
|
| Number of Processes | 11 |
| Termination Reason | RAM disk exhausted |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.5 |
| VTI Rule Match Count | 17 |
| VTI Rule Type | Default (PE, ...) |
| The tags feature is only available in the fully licensed version of VMRay Analyzer. |
|
This report is associated with a dynamic link library (DLL), which normally needs an appropriate loader. If an appropriate loader was not submitted along with the DLL, the analysis results may be incomplete and may not fully represent the behavior of the sample. Read more about submitting DLLs in the following section of the VMRay documentation: Usage-> Submitting Special Executables. |
|
The operating system was rebooted during the analysis. |
|
|
The ram disk on the worker machine has reached its limit during analysis. The analysis was terminated prematurely. |
|
|
The overall sleep time of all monitored processes was truncated from 4 minutes to 20 seconds to reveal dormant functionality. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x948 | Analysis Target | High (Elevated) | Petya.dll | "C:\Windows\SysWOW64\AGakmVMR.exe" "C:\Users\HJRD1K~1\Desktop\Petya.dll" #1 | |
| #2 | 0x960 | Child Process | High (Elevated) | cmd.exe | /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 | #1 |
| #3 | 0x970 | Child Process | High (Elevated) | 6b4.tmp | "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" \\.\pipe\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80} | #1 |
| #4 | 0x99c | Child Process | High (Elevated) | schtasks.exe | schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 | #2 |
| #5 | 0x564 | Created Scheduled Job | High (Elevated) | taskeng.exe | taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\hJrD1KOKY DS8lUjv:Interactive:Highest[1] | #4 |
| #6 | 0x9d0 | Child Process | High (Elevated) | cmd.exe | /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: | #1 |
| #7 | 0x9e4 | Child Process | High (Elevated) | wevtutil.exe | wevtutil cl Setup | #6 |
| #8 | 0x9f0 | Child Process | High (Elevated) | wevtutil.exe | wevtutil cl System | #6 |
| #9 | 0x9fc | Child Process | High (Elevated) | wevtutil.exe | wevtutil cl Security | #6 |
| #10 | 0xa08 | Child Process | High (Elevated) | wevtutil.exe | wevtutil cl Application | #6 |
| #11 | 0xa14 | Child Process | High (Elevated) | fsutil.exe | fsutil usn deletejournal /D C: | #6 |
| ID | #1955750 |
| MD5 Hash Value | 71b6a493388e7d0b40c83ce903bc6b04 |
| SHA1 Hash Value | 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d |
| SHA256 Hash Value | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Filename | Petya.dll |
| File Size | 353.87 KB (362360 bytes) |
| File Type | Windows DLL (x86-32) |
| Analyzer Version | 2.1.0 |
| Analyzer Build Date | 2017-06-30 16:09 (UTC+2) |
| Internet Explorer Version | 8.0.7601.17514 |
| Firefox Version | 39.0 |
| VM Name | win7_64_sp1 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
