6d4eb90e5ccaf6fe5a129ae6b1d84835bfbb500e2028420ff47e63c593b04ebc

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 08:26

Target

2024-04-20_31c8e3744f241a06e6c10507f70105fa_bad-rabbit_doublepulsar_eternalpetya_karagany_notpetya_petrwrap_petya.exe
Size

618KB
MD5

31c8e3744f241a06e6c10507f70105fa
SHA1

78ab7672f6b24ca6f7cf236d0609ab90d252b372
SHA256

6d4eb90e5ccaf6fe5a129ae6b1d84835bfbb500e2028420ff47e63c593b04ebc
SHA512

40e04a5c2d9fa6042e43865aa1de61893a24cc563ca84bf31e5b5a65c58ca3c987513675f50c3d89638240013a787fc1f34f84a387e3e1e8476b29074b312fdd
SSDEEP

12288:Wn/X4NTS/x9jNG+w+9OqFoK323qdQYKU3ZuGOBqs8XIJ25h5pYi:sXATS/x9jNg+95vdQaZAssGlhE

Score

9^/10

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 4 IoCs

resource	yara_rule
behavioral2/memory/2140-0-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_USNDeleteJournal
behavioral2/memory/2140-4-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_USNDeleteJournal
behavioral2/memory/2140-1-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_USNDeleteJournal
behavioral2/memory/2140-7-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_USNDeleteJournal

Detects executables containing commands for clearing Windows Event Logs 4 IoCs

resource	yara_rule
behavioral2/memory/2140-0-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_ClearWinLogs
behavioral2/memory/2140-4-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_ClearWinLogs
behavioral2/memory/2140-1-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_ClearWinLogs
behavioral2/memory/2140-7-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp	INDICATOR_SUSPICIOUS_ClearWinLogs

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4440	2140	WerFault.exe	86
780	2140	WerFault.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-20_31c8e3744f241a06e6c10507f70105fa_bad-rabbit_doublepulsar_eternalpetya_karagany_notpetya_petrwrap_petya.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_31c8e3744f241a06e6c10507f70105fa_bad-rabbit_doublepulsar_eternalpetya_karagany_notpetya_petrwrap_petya.exe"
1⤵
PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 336
  2⤵
  - Program crash
  PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 344
  2⤵
  - Program crash
  PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2140 -ip 2140
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2140 -ip 2140
1⤵
PID:2696

memory/2140-0-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp

Filesize
630KB

Download
memory/2140-2-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

Filesize
20KB

Download
memory/2140-3-0x0000000000FA0000-0x0000000000FC4000-memory.dmp

Filesize
144KB

Download
memory/2140-5-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2140-4-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp

Filesize
630KB

Download
memory/2140-1-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp

Filesize
630KB

Download
memory/2140-6-0x0000000000FA0000-0x0000000000FC4000-memory.dmp

Filesize
144KB

Download
memory/2140-7-0x0000000000DB0000-0x0000000000E4DAFE-memory.dmp

Filesize
630KB

Download
memory/2140-8-0x0000000000FA0000-0x0000000000FC4000-memory.dmp

Filesize
144KB

Download