analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NotPetya.exe

Full analysis: https://app.any.run/tasks/eb98c77c-35c0-4f4e-ad51-a74e44ce5891
Verdict: Malicious activity
Analysis date: August 09, 2020, 07:41:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5:

71B6A493388E7D0B40C83CE903BC6B04

SHA1:

34F917AABA5684FBE56D3C57D48EF2A1AA7CF06D

SHA256:

027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745

SSDEEP:

6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2268)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3088)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 2748)
    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 2748)
    • Creates files in the program directory

      • rundll32.exe (PID: 2748)
  • INFO

    • Loads main object executable

      • rundll32.exe (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:06:18 09:14:36+02:00
PEType: PE32
LinkerVersion: 10
CodeSize: 48640
InitializedDataSize: 306688
UninitializedDataSize: -
EntryPoint: 0x7d39
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 18-Jun-2017 07:14:36

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Jun-2017 07:14:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000BD63
0x0000BE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.54653
.rdata
0x0000D000
0x00008546
0x00008600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.99213
.data
0x00016000
0x00009B4A
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.42699
.rsrc
0x00020000
0x0003C738
0x0003C800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99829
.reloc
0x0005D000
0x00000C02
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.77168

Imports

ADVAPI32.dll
CRYPT32.dll
DHCPSAPI.DLL
IPHLPAPI.DLL
KERNEL32.dll
MPR.dll
NETAPI32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll

Exports

Title
Ordinal
Address
1
0x00007DEB
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe cmd.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2748"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\NotPetya.exe", #1C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2268/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 09:44C:\Windows\system32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3088schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 09:44C:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
16
Read events
16
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
876
Text files
3
Unknown types
39

Dropped files

PID
Process
Filename
Type
2748rundll32.exeC:\Users\admin\AppData\Local\Temp\NotPetya.exe
MD5:
SHA256:
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CAT\AdobeID.pdfbinary
MD5:5465E46D19590E61888804D00677569D
SHA256:E444C5AA336AB1F96E63B9BDA121379F3EDDF47E4E8245324230E2118D78E807
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CHT\AdobeID.pdfbinary
MD5:BED79D4488CABE18AE1C5367B26910EB
SHA256:2B36988142E130ACBC98A2CFCDF053408E217F541C29E480744694CB34686DDF
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CHT\DefaultID.pdfbinary
MD5:D6162ECBC915687D64C0A2A15D6CE966
SHA256:932D523CF8B47C547257D4E4D743C4D588E2F69D7B5D9F39A8F99E1AEB3D6978
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CHS\DefaultID.pdfbinary
MD5:DEB0E5CE0BBC7238B8262B14168AAEFB
SHA256:9A3743231836783F25E0C7B2E2A3337AA4B227232B58F871F561598C7BE91DA9
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CAT\DefaultID.pdfbinary
MD5:D0EE33263C672241D4AAC89E3750BC50
SHA256:D6E3936FA69BAA3706747142C700DA322427273E1B54A9FF9A7458A3F84C54FD
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CZE\DefaultID.pdfbinary
MD5:880817655334F9DDA4AAEAF183CED3E1
SHA256:427DA21126A54089ED2C9B65725CDFCBEFCA0B0FD2E75E582ED9D3E9A978F696
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\DAN\DefaultID.pdfbinary
MD5:327BBE8D8FE02BCD68957FB059BA4D2C
SHA256:95D4A63563B1CBD28498B080F401A79A4E43DEA2AAD64E883C54D3524CE94050
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\ESP\DefaultID.pdfbinary
MD5:94158BDDBFF26461828EDA363AB618CA
SHA256:C794D3501AF5D034EF01A9E4B0BC5009DD32239F30E46ADC856F581A60BF5CAC
2748rundll32.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\IDTemplates\CZE\AdobeID.pdfbinary
MD5:96CF33EE2ADC0AAF83740D7D43BD3219
SHA256:A4FDF336BB221820726A9D0F676348E5EBC3299FC3947A837D28F9554A4843F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.242:137
malicious

DNS requests

No data

Threats

No threats detected
No debug info