Petya/NotPetya/ExPetr | VTI by Category
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.5 |
| VTI Rule Match Count | 17 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Dynamic API usage | |
Resolve above average number of APIs. | ||
| Device | |
| Write master boot record (MBR) | |
Write 512 bytes to master boot record (MBR). | ||
| Access physical drive | |
Access physical drive "\device\harddisk0\dr0". | ||
| File System | |
| Handle with malicious files | |
File "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" is a known malicious file. | ||
| Modify operating system directory | |
Modify "c:\windows\dllhost.dat". | ||
| Network | |
| Connect to SMB share | |
Connect to a network share at \\192.168.0.1\admin$. | ||
| OS | |
| Use encryption API | |
Use above average number of encryption APIs. | ||
| PE | |
| Drop PE file | |
Drop file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". | ||
Drop file "c:\windows\dllhost.dat". | ||
| Execute dropped PE file | |
Execute dropped file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". | ||
| Process | |
| Escalate Privileges | |
Enable critical process privilege "SeTcbPrivilege". | ||
Enable process privilege "SeShutdownPrivilege". | ||
Enable process privilege "SeDebugPrivilege". | ||
| Allocate a page with write and execute permissions | |
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). | ||
| Create process with hidden window | |
The process "C:\Windows\system32\cmd.exe" starts with hidden window. | ||
The process "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" starts with hidden window. | ||
| Read from memory of an other process | |
"c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" reads from "c:\windows\system32\lsass.exe". | ||
| - | Browser | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Injection | |
| - | Kernel | |
| - | Masquerade | |
| - | Persistence | |
| - | VBA Macro | |
| - | YARA | |
