2024-04-09_b445cc5479b49abd035f104aa704b8ab_petya

Sharing

General

Target

2024-04-09_b445cc5479b49abd035f104aa704b8ab_petya
Size

2.8MB
MD5

b445cc5479b49abd035f104aa704b8ab
SHA1

d5c94b8fd29d7a073cd5428c0327af9f516a2346
SHA256

9eaef2a3e9a8c5f39a9c7b394e87cd14b2b923db545bb9ffedd1bf524b435a89
SHA512

694d1c6a2c9ed4a786a02b2a4c8178a5f2ae03b326af20673082c45f5a26a7d24b0b677db4d4e0cc4010fc9509724060dc1a71ad2115399e7d6586ae2456113f
SSDEEP

49152:ri94FiQoRiPoPoxsWsaLevUBwsKV/cUZFdXrX75hJSCACytBxZV6X4snchEl/jnS:r1k8+dm3Oxji2l8U7WuTMCPeM2ieLTyC

Score

10^/10

Malware Config

Signatures

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-09_b445cc5479b49abd035f104aa704b8ab_petya

Files

2024-04-09_b445cc5479b49abd035f104aa704b8ab_petya
.exe windows:5 windows x64 arch:x64

32ebf6d05d9909a5528c036496ee3157

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

k:\work\DataRecovery\SVN-New\03_Source_V1\UI\Output\x64\Release\iBoysoftDataRecovery.pdb

Imports

gdiplus

GdipCreateImageAttributes
GdipDisposeImageAttributes
GdipGraphicsClear
GdipCreateBitmapFromGraphics
GdipLoadImageFromStream
GdipBitmapLockBits
GdipGetImagePaletteSize
GdipCreateBitmapFromFile
GdipDrawImageI
GdipBitmapUnlockBits
GdipDrawImageRectRectI
GdipCreateBitmapFromScan0
GdipGetImagePixelFormat
GdipGetImagePalette
GdipGetImageWidth
GdipCloneImage
GdipCreateFromHDC
GdipDisposeImage
GdipAlloc
GdipDrawImageRectI
GdipDeleteGraphics
GdipCreateBitmapFromStream
GdipGetImageHeight
GdipFree
GdiplusStartup
GdiplusShutdown
GdipGetImageGraphicsContext

mfc90u

ord3858
ord3983
ord6002
ord2937
ord2958
ord4345
ord602
ord1977
ord1514
ord4205
ord2136
ord1578
ord3257
ord1110
ord4192
ord6282
ord5620
ord6205
ord2001
ord2436
ord1310
ord6288
ord2141
ord4207
ord293
ord3173
ord6235
ord2320
ord3663
ord555
ord6129
ord3442
ord5750
ord2084
ord746
ord1387
ord4898
ord3840
ord4982
ord4985
ord4681
ord4786
ord3771
ord4077
ord4491
ord4496
ord4493
ord4511
ord4514
ord4498
ord4710
ord4290
ord4281
ord5107
ord4903
ord4313
ord4913
ord4556
ord4557
ord3435
ord4384
ord5306
ord5283
ord3567
ord3376
ord513
ord3694
ord4231
ord4108
ord4683
ord4187
ord336
ord600
ord2122
ord6127
ord6128
ord6126
ord3439
ord5186
ord3396
ord1621
ord745
ord6428
ord3415
ord1629
ord1693
ord3981
ord2145
ord763
ord4354
ord3065
ord913
ord3899
ord6008
ord3979
ord5619
ord2533
ord300
ord799
ord5659
ord6312
ord4104
ord1520
ord305
ord3009
ord4465
ord392
ord5217
ord5452
ord641
ord5857
ord6023
ord5767
ord2433
ord1215
ord1306
ord355
ord1975
ord614
ord1211
ord3408
ord1626
ord2142
ord756
ord4351
ord6179
ord4222
ord2515
ord290
ord1516
ord5658
ord6320
ord6314
ord5966
ord4432
ord3269
ord362
ord617
ord4871
ord3740
ord1603
ord574
ord768
ord3428
ord3492
ord6281
ord2719
ord1772
ord5772
ord512
ord722
ord3250
ord1576
ord2133
ord598
ord4343
ord3249
ord332
ord3381
ord1615
ord1686
ord3225
ord728
ord3291
ord5861
ord310
ord589
ord796
ord1513
ord4188
ord4225
ord5011
ord3548
ord632
ord1949
ord6234
ord4191
ord2218
ord3895
ord3975
ord1308
ord792
ord1255
ord3685
ord769
ord3780
ord4233
ord1454
ord3243
ord1574
ord1675
ord594
ord1840
ord1984
ord877
ord2184
ord5532
ord916
ord1961
ord5692
ord1512
ord6207
ord5743
ord1422
ord568
ord6147
ord5845
ord760
ord2222
ord4699
ord5335
ord4373
ord2956
ord4855
ord4321
ord3735
ord3553
ord393
ord642
ord2068
ord2837
ord5907
ord3889
ord5033
ord4579
ord4745
ord4578
ord4609
ord5098
ord4840
ord2914
ord1287
ord6209
ord5618
ord2326
ord4213
ord4103
ord1519
ord285
ord3008
ord5345
ord5362
ord4050
ord5356
ord3005
ord1966
ord1071
ord266
ord429
ord5241
ord1472
ord668
ord3424
ord577
ord6116
ord3932
ord5511
ord6363
ord5230
ord1025
ord3906
ord5713
ord2065
ord2110
ord4438
ord6424
ord3901
ord6422
ord4658
ord3930
ord2303
ord5696
ord4687
ord5358
ord4121
ord772
ord3783
ord4145
ord265
ord4596
ord2907
ord1209
ord6264
ord4506
ord1080
ord3297
ord1307
ord1980
ord3247
ord1103
ord2432
ord1149
ord1061
ord3317
ord2860
ord3493
ord2139
ord671
ord4349
ord3750
ord424
ord1595
ord2435
ord664
ord2378
ord1040
ord583
ord2437
ord5307
ord5346
ord775
ord1430
ord6056
ord779
ord1233
ord2602
ord2797
ord2904
ord4419
ord2780
ord3137
ord3784
ord3073
ord3301
ord1589
ord1677
ord2137
ord655
ord4347
ord4372
ord2531
ord296
ord280
ord789
ord791
ord6309
ord6307
ord2722
ord3862
ord286
ord588
ord777
ord5332
ord1634
ord1698
ord1699
ord2010
ord1389
ord3014
ord6027
ord5093
ord3436
ord6425
ord3902
ord6423
ord1553
ord2226
ord2932
ord2233
ord2470
ord2452
ord2450
ord2468
ord2480
ord2457
ord2473
ord2478
ord2461
ord2463
ord2465
ord2459
ord2475
ord2455
ord949
ord945
ord947
ord943
ord938
ord5365
ord5367
ord6101
ord1635
ord4393
ord4843
ord3494
ord4294
ord6421
ord5201
ord1954
ord5284
ord4355
ord4048
ord4601
ord1658
ord1661
ord3535
ord1582
ord1713
ord1714
ord2067
ord5013
ord4856
ord4322
ord1429
ord6053
ord3135
ord5314
ord4051
ord2709
ord3809
ord3819
ord3818
ord2598
ord2711
ord2605
ord3331

msvcr90

__CxxFrameHandler3
_decode_pointer
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crt_debugger_hook
?terminate@@YAXXZ
_exit
_cexit
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
_XcptFilter
__C_specific_handler
__wgetmainargs
_amsg_exit
towupper
_time64
__setusermatherr
_commode
_fmode
tolower
memmove
_encode_pointer
__set_app_type
_unlock
__dllonexit
_lock
_onexit
?what@exception@std@@UEBAPEBDXZ
_waccess
_mkdir
_access
_stricmp
_CxxThrowException
memset
sprintf_s
swprintf_s
_vswprintf_c_l
_localtime64_s
_recalloc
_resetstkoflw
memcpy
calloc
wcsstr
_wtoi
strrchr
wcscpy_s
_beginthreadex
memcpy_s
_vswprintf
vswprintf_s
_vscprintf
_purecall
strcpy_s
fprintf
wcsrchr
atoi
__iob_func
strstr
malloc
free
sscanf
vsprintf
sprintf
_wcsnicmp
memmove_s
_invalid_parameter_noinfo
??0exception@std@@QEAA@AEBV01@@Z
??0exception@std@@QEAA@AEBQEBD@Z
??0exception@std@@QEAA@XZ
??1exception@std@@UEAA@XZ
__RTDynamicCast

kernel32

GetSystemDefaultLangID
MulDiv
lstrlenW
ResumeThread
GetVersion
CreateFileMappingW
TerminateProcess
CreateProcessA
GetExitCodeProcess
UnmapViewOfFile
MapViewOfFile
LoadLibraryA
GetPrivateProfileStringW
LocalFileTimeToFileTime
DeleteFileA
GetModuleFileNameA
FindClose
CreateFileW
WriteFile
SetFileTime
CreateDirectoryW
SystemTimeToFileTime
SetEndOfFile
SetFilePointer
FindFirstFileW
GlobalUnlock
GlobalAlloc
GlobalLock
lstrcpyW
GetLocaleInfoW
QueryDosDeviceA
FreeLibrary
GetFileAttributesW
CreateThread
CloseHandle
OutputDebugStringA
DeleteCriticalSection
GetModuleHandleA
GetSystemInfo
DeviceIoControl
EnterCriticalSection
WritePrivateProfileStringW
GetSystemDirectoryA
GetModuleFileNameW
LeaveCriticalSection
GetVersionExW
Sleep
TerminateThread
InitializeCriticalSection
WaitForSingleObject
GetCurrentProcess
SetUnhandledExceptionFilter
TryEnterCriticalSection
CreateMutexW
CreateFileA
GetProcAddress
SetLastError
GetLastError
LoadLibraryW
GetModuleHandleW
GetFileSize
ReadFile
GlobalFree
FindResourceW
LoadResource
SetEvent
SizeofResource
HeapFree
GetProcessHeap
ResetEvent
LockResource
CreateEventW
WideCharToMultiByte
MultiByteToWideChar
GetDiskFreeSpaceExW
GetTempPathA
GetLocaleInfoA
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetStartupInfoW
GetDriveTypeA
GetVolumeNameForVolumeMountPointW
GetLogicalDrives
GetVolumeInformationW
SetVolumeMountPointW
CreateProcessW
GetTickCount
lstrcpynW
GetUserDefaultUILanguage
WritePrivateProfileStringA
GetPrivateProfileStringA
GetCurrentDirectoryW
GetSystemDirectoryW

user32

GetCursorPos
LoadCursorW
ScreenToClient
SetCursor
KillTimer
SetTimer
FrameRect
ReleaseDC
InflateRect
GetWindowDC
DestroyIcon
GetIconInfo
DrawIconEx
BeginPaint
FillRect
EndPaint
DrawFrameControl
GetWindowLongW
DrawFocusRect
GetFocus
MoveWindow
UpdateWindow
ReleaseCapture
SetCapture
LoadStringW
SetFocus
PostMessageW
FindWindowW
SetRect
GetSysColor
SetActiveWindow
GetScrollPos
ShowScrollBar
EnableScrollBar
SetScrollPos
LoadIconW
SetScrollRange
IsRectEmpty
SetRectEmpty
LoadBitmapA
CheckMenuItem
InsertMenuW
RemoveMenu
GetMenuState
EnableMenuItem
LoadMenuW
ModifyMenuW
DrawIcon
GetSubMenu
ClientToScreen
SetWindowTextW
GetClientRect
CloseClipboard
EmptyClipboard
OpenClipboard
SetClipboardData
SetForegroundWindow
GetDC
CopyRect
GetWindowRect
MessageBeep
SetWindowLongPtrW
CallWindowProcW
GetSystemMetrics
GetMessageW
DispatchMessageW
wsprintfW
OffsetRect
TranslateMessage
SetWindowPos
ShowWindow
IsWindow
IsIconic
MessageBoxW
LoadBitmapW
GetParent
InvalidateRect
SendMessageW
EnableWindow
PtInRect

gdi32

SetBkColor
Rectangle
GetBkColor
CreatePen
GetPixel
GetTextMetricsW
CreateBitmap
DPtoLP
GetMapMode
StretchBlt
SetDIBColorTable
CreateFontW
BitBlt
GetStockObject
GetDeviceCaps
GetTextExtentPoint32W
CreateFontIndirectW
PatBlt
DeleteDC
CreateDIBSection
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
SetDIBits
GetObjectW
DeleteObject
CreateSolidBrush
SetTextColor

advapi32

CryptHashData
CryptCreateHash
CryptDestroyHash
RegEnumValueW
RegCreateKeyExW
CryptAcquireContextW
CryptGetHashParam
RegSetValueExW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptReleaseContext

shell32

SHBrowseForFolderW
ShellExecuteA
SHGetDesktopFolder
SHGetPathFromIDListW
SHGetSpecialFolderLocation
ShellExecuteW
SHGetFileInfoW
ord727

comctl32

InitCommonControlsEx
_TrackMouseEvent

shlwapi

SHCreateStreamOnFileA
PathFileExistsW
StrStrIA

ole32

CreateStreamOnHGlobal
OleRun
CoCreateInstance
CoCreateGuid
CoInitialize
CLSIDFromString

oleaut32

GetErrorInfo
OleLoadPicture
SysFreeString

msvcp90

??_D?$basic_fstream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QEAA@PEBDHH@Z
?open@?$basic_fstream@DU?$char_traits@D@std@@@std@@QEAAXPEBDHH@Z
??$?5DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YAAEAV?$basic_istream@DU?$char_traits@D@std@@@0@AEAV10@AEAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@AEBV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBAPEB_WXZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QEAA@PEBDHH@Z
?end@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?begin@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV12@PEB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@AEBV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA?AV12@_K0@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV12@AEBV12@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@PEBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@AEBV01@@Z
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV12@PEBD@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXAEAV12@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W_K@Z
?uncaught_exception@std@@YA_NXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?endl@std@@YAAEAV?$basic_ostream@DU?$char_traits@D@std@@@1@AEAV21@@Z

setupapi

SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailA
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailW

m3search

M3_SerializeFileNode
M3_RestoreFileNode

winfs

My_GetFSService

libeay32

ord493
ord253
ord227
ord2044
ord492
ord2291

Sections

.text
Size: 543KB - Virtual size: 543KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 225KB - Virtual size: 224KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

32ebf6d05d9909a5528c036496ee3157

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdiplus

mfc90u

msvcr90

kernel32

user32

gdi32

advapi32

shell32

comctl32

shlwapi

ole32

oleaut32

msvcp90

setupapi

m3search

winfs

libeay32

Sections

.text Size: 543KB - Virtual size: 543KB

.rdata Size: 225KB - Virtual size: 224KB

.data Size: 27KB - Virtual size: 55KB

.pdata Size: 38KB - Virtual size: 38KB

.rsrc Size: 2.0MB - Virtual size: 2.0MB

.reloc Size: 23KB - Virtual size: 22KB

.text
Size: 543KB - Virtual size: 543KB

.rdata
Size: 225KB - Virtual size: 224KB

.data
Size: 27KB - Virtual size: 55KB

.pdata
Size: 38KB - Virtual size: 38KB

.rsrc
Size: 2.0MB - Virtual size: 2.0MB

.reloc
Size: 23KB - Virtual size: 22KB