← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Petya Ransomware Fast Spreading Attack
WHITE AlienVault 2017-06-27 Modified: 2017-07-25
25
IOCs
MEDIUM VOLUME
This is worm-like ransomware based on Petya. -- The malware was deployed via the software update mechanism in a piece of Ukranian accounting software on the morning of Tuesday 27th June 2017. -- The malware encrypts files and the boot record of hard disks, leaving behind a ransomware note. -- It spreads within networks through PsExec and WMIC commands, using credentials stolen by a tool similiar to Mimikatz. -- It also attempts to srpead using the EternalBlue and EternalRomance SMBv1 exploits. -- It also clears event logs and the file system journals. -- In this case paying the attackers will not help get any files back. Example note: Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX 2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.
petyaransomwareeternalblue
Indicators of Compromise (25)
All FileHash-SHA256 email FileHash-MD5 FileHash-SHA1 FilePath CVE YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 2017-06-27
FileHash-SHA256 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 2017-06-27
email wowsmith123456@posteo.net 2017-06-27
FileHash-MD5 71b6a493388e7d0b40c83ce903bc6b04 2017-06-27
FileHash-SHA1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d 2017-06-27
FilePath dllhost.dat 2017-06-27
FileHash-SHA256 752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5 2017-06-27
FileHash-MD5 0df7179693755b810403a972f4466afb 2017-06-27
FileHash-MD5 42b2ff216d14c2c8387c8eabfb1ab7d0 2017-06-27
FileHash-MD5 e595c02185d8e12be347915865270cca 2017-06-27
FileHash-MD5 e285b6ce047015943e685e6638bd837e 2017-06-27
FileHash-SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf 2017-06-28
FileHash-SHA1 56c03d8e43f50568741704aee482704a4f5005ad 2017-06-28
FileHash-SHA1 9717cfdc2d023812dbc84a941674eb23a2a8ef06 2017-06-28
FileHash-MD5 7e37ab34ecdcc3e77e24522ddfd4852d 2017-06-28
CVE CVE-2017-0143 2017-06-28
YARA ddea5eeec6c88f6307f95b79dec53e340075022e 2017-07-25
YARA 4d0d73c1802c24bcf16ee44f0a736e44eb4358c5 2017-07-25
YARA 34692464f1826cdc91447bdf5e9549f44b5b584e 2017-07-25
domain wowsmith123456posteo.net 2017-07-25
YARA 00bb0619131981a12523824e760823ec6ca7c134 2017-07-25
YARA b947df16aa881dbc580c190726baef954a3a0a6a 2017-07-25
YARA 5dac5121a167a9012ad871b4f5051eae3c074744 2017-07-25
FileHash-SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 2017-07-25
FileHash-MD5 af2379cc4d607a45ac44d62135fb7015 2017-07-25
References (7)
↗ https://twitter.com/JoKe_42/status/879693258183647232 ↗ https://twitter.com/craiu/status/879689411419668480 ↗ https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 ↗ https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 ↗ https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb ↗ https://securelist.com/schroedingers-petya/78870/ ↗ https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/