Petya/NotPetya/ExPetr | VTI by Score
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.5 |
| VTI Rule Match Count | 17 |
| VTI Rule Type | Default (PE, ...) |
 | Device | Write master boot record (MBR) | |
Write 512 bytes to master boot record (MBR). | |||
| File System | Handle with malicious files | |
File "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" is a known malicious file. | |||
| Network | Connect to SMB share | |
Connect to a network share at \\192.168.0.1\admin$. | |||
| Process | Escalate Privileges | |
Enable critical process privilege "SeTcbPrivilege". | |||
Enable process privilege "SeShutdownPrivilege". | |||
Enable process privilege "SeDebugPrivilege". | |||
| Device | Access physical drive | |
Access physical drive "\device\harddisk0\dr0". | |||
| Process | Allocate a page with write and execute permissions | |
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). | |||
| Anti Analysis | Dynamic API usage | |
Resolve above average number of APIs. | |||
| Process | Create process with hidden window | |
The process "C:\Windows\system32\cmd.exe" starts with hidden window. | |||
The process "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" starts with hidden window. | |||
| Process | Read from memory of an other process | |
"c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" reads from "c:\windows\system32\lsass.exe". | |||
| File System | Modify operating system directory | |
Modify "c:\windows\dllhost.dat". | |||
| OS | Use encryption API | |
Use above average number of encryption APIs. | |||
| PE | Drop PE file | |
Drop file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". | |||
Drop file "c:\windows\dllhost.dat". | |||
| PE | Execute dropped PE file | |
Execute dropped file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". | |||
