Petya/NotPetya/ExPetr | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-06-30 17:01 (UTC+2)
VM Analysis Duration Time 00:04:05
Execution Successful True
Sample Filename Petya.dll
Command Line Parameters #1
Prescript False
Number of Processes 11
Termination Reason RAM disk exhausted
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX
VTI Information
VTI Score
100 / 100
VTI Database Version 2.5
VTI Rule Match Count 17
VTI Rule Type Default (PE, ...)
The tags feature is only available in the fully licensed version of VMRay Analyzer.
Critical This report is associated with a dynamic link library (DLL), which normally needs an appropriate loader. If an appropriate loader was not submitted along with the DLL, the analysis results may be incomplete and may not fully represent the behavior of the sample. Read more about submitting DLLs in the following section of the VMRay documentation: Usage-> Submitting Special Executables.
Critical The operating system was rebooted during the analysis.
Critical The ram disk on the worker machine has reached its limit during analysis. The analysis was terminated prematurely.
Critical The overall sleep time of all monitored processes was truncated from 4 minutes to 20 seconds to reveal dormant functionality.
Monitored Processes
Process Graph

ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x948 Analysis Target High (Elevated) Petya.dll "C:\Windows\SysWOW64\AGakmVMR.exe" "C:\Users\HJRD1K~1\Desktop\Petya.dll" #1
#2 0x960 Child Process High (Elevated) cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 #1
#3 0x970 Child Process High (Elevated) 6b4.tmp "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" \\.\pipe\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80} #1
#4 0x99c Child Process High (Elevated) schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 #2
#5 0x564 Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\hJrD1KOKY DS8lUjv:Interactive:Highest[1] #4
#6 0x9d0 Child Process High (Elevated) cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: #1
#7 0x9e4 Child Process High (Elevated) wevtutil.exe wevtutil cl Setup #6
#8 0x9f0 Child Process High (Elevated) wevtutil.exe wevtutil cl System #6
#9 0x9fc Child Process High (Elevated) wevtutil.exe wevtutil cl Security #6
#10 0xa08 Child Process High (Elevated) wevtutil.exe wevtutil cl Application #6
#11 0xa14 Child Process High (Elevated) fsutil.exe fsutil usn deletejournal /D C: #6
Sample Information
ID #1955750
MD5 Hash Value 71b6a493388e7d0b40c83ce903bc6b04
SHA1 Hash Value 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256 Hash Value 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Filename Petya.dll
File Size 353.87 KB (362360 bytes)
File Type Windows DLL (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.1.0
Analyzer Build Date 2017-06-30 16:09 (UTC+2)
Internet Explorer Version 8.0.7601.17514
Firefox Version 39.0
VM Name win7_64_sp1
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".