Sample details: 71b6a493388e7d0b40c83ce903bc6b04 --

Hashes
MD5: 71b6a493388e7d0b40c83ce903bc6b04
SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SSDEEP: 6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsDLL | YRP/IsConsole | YRP/IsPacked | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Misc_Suspicious_Strings | YRP/escalate_priv | YRP/cred_local | YRP/win_token | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/Str_Win32_Winsock2_Library | YRP/ransomware_PetrWrap | YRP/DoublePulsarXor_Petya | YRP/DoublePulsarDllInjection_Petya | FlorianRoth/NotPetya_Ransomware_Jun17 |
Source
http://94.130.104.170/027cc450ef5f8c5f653329641ec1fed9.exe
http://99.248.235.4/Library//Ransomeware/NotPetya.bin
http://99.248.235.4/Library/Ransomeware/NotPetya.bin
Strings
		!This program cannot be run in DOS mode.
jV|Rich
`.rdata
@.data
@.reloc
u3j j@
 5.1t]
 5.2tY
VisttU
ws 7tQ
2008tOB
u+jK_W
u:jJZf
uqjHZj
u$Wj	Y
t^jbYf
u&j<Yj
u$j@Xj
M,VWPf
U,VWPf
QQSVW3
u$@SVh
P f;S.u
HpSW;HxuE
Ht;H|u=
E(SVWP
j/Pj WS
D$,PVVj
t$$WhS
t$$WhS
D$<9t$<r
u(9X0t)9X
D$(Pj8
tE@;D$
VV@PVVh
PVVVVh 
D$h9\$
D$<PSSh
P9\$@t
9\$ t$
t#QQWhs
S@;Q s
S@;Q(s
Ch;C\r
C4;K0v
C89S(u
^(9^$u
G9^4u 
N(9N0u
Fast decoding Code from Chris Anderson
invalid literal/length code
invalid distance code
invalid distance too far back
wkPSQR
Genuu8
ntelu0
ineIu(
incorrect header check
unknown compression method
invalid window size
unknown header flags set
header crc mismatch
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid code -- missing end-of-block
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect data check
incorrect length check
Qkkbal
[-&LMb#{'
w+OQvr
)\ZEo^m/
H*0"ZOW
l!;b	F
mj>zjZ
IiGM>nw
ewh/?y
OZw3(?
V_:X1:
need dictionary
stream end
file error
stream error
data error
insufficient memory
buffer error
incompatible version
 inflate 1.2.8 Copyright 1995-2013 Mark Adler 
\\.\PhysicalDrive
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
%3%2%1%075613244
pZdddd
a3cdd,
a$cdd,
aMcdd,
avcdd,
@udddd
dtdd)U
qbbdd,
i;bdd,
Q3bdd,
YKbdde
ikbdd,e
Abbdd,
qoadd,
ddddddd,U
qXadd,
qfadd,
gdddddd
YNddd,
`dddddd,gi
<<:;9>=?%8%9%:%;,
lddddddd5,
qs`dd,
i>`dd]
yo`dd,
yf`dd,M
aggdd,
i`gdd,
q=gdd,
a9gdd,M
q{gdd,
aRgdd,e
qagdd,
dadd,]
dedd3,
-edd;,
dedd9=>?
`A\ddd,
l,Idtdd
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddLgddDddd
dddlgdd(ddd
fddeddd
dddddddd
kjddddd7132%0%1%2%3,
dddd9,
AYidd,
IZidd,
dddd=)U
iJidd,
$ddddddd-
dTdddddd,U
9kdd,U
Y=jddU
fddddddd
$ddddddd,
dddddd,
dddddddd,
dddddd,
dddddddd,
ndddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd,
ddddddddddddddddddddddddddddddddddddddddddddddddd367,
$ddddddd-
dTdddddd,
$ddddddd-
dTdddddd,
36752,
Lddddddd6,
>,g!t2,
lddddddd,
eddddddd,
ddddddd
lddddddd,
addddddd,
!<dddd
k,e!<,
!D,g!<,
9L,e|,
lddddddd,
gddddddd,
Lddddddd6,
>,g!t-
ddddddd,
dddfddd-
ddd`ddd,
dddDddd
ddd$ddd,
dddddddd
eddddddd,
dddddddd,
ddd327,
ddd467,
kddddddd,
dddddddd,
lddddddd,
==99?:;
h9?:;>,e
dddd3675,
lddddddd,
hddddddd,
kddddddd,
$ddddddd-
dTdddddd,
367524,
kddddddd
<:=?>;
eddddddd
d:=?>;
36752,
eddddddd
d:=?>;
ddddddddddddddddddddddddzdddEidd*idddmddd:idddddddddd
dddd<,
medd0156723,U
;:?>=98
>q.df1
iWddd,
yHddd,M
iiddd,
<%;%:%9%8:;9?
33333E
<$O333
w22222222
<$O333
E4'4t3333'=O
w22222222
IsWow64Process
GetExtendedTcpTable
ntdll.dll
NtRaiseHardError
\\.\C:
\\.\PhysicalDrive0
255.255.255.255
%u.%u.%u.%u
CreateFileA
HeapAlloc
SetFilePointerEx
HeapFree
GetProcessHeap
WriteFile
ReadFile
GetSystemDirectoryA
GetLastError
DeviceIoControl
CloseHandle
FindFirstFileW
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
WaitForSingleObject
GetLogicalDrives
FlushViewOfFile
CreateFileW
GetFileSizeEx
FindClose
LocalAlloc
CreateFileMappingW
FindNextFileW
LocalFree
CreateThread
GetTickCount
MultiByteToWideChar
LeaveCriticalSection
SetLastError
EnterCriticalSection
HeapReAlloc
InitializeCriticalSection
InterlockedExchange
GetTempFileNameW
PeekNamedPipe
CreateProcessW
GetCurrentProcess
ConnectNamedPipe
GetModuleHandleW
CreateNamedPipeW
TerminateThread
DisconnectNamedPipe
FlushFileBuffers
GetTempPathW
GetProcAddress
DeleteFileW
FreeLibrary
GlobalAlloc
LoadLibraryW
GetComputerNameExW
GlobalFree
ExitProcess
GetVersionExW
GetModuleFileNameW
DisableThreadLibraryCalls
ResumeThread
GetEnvironmentVariableW
GetFileSize
SetFilePointer
FindResourceW
LoadResource
GetCurrentThread
OpenProcess
GetSystemDirectoryW
SizeofResource
GetLocalTime
Process32FirstW
LockResource
Process32NextW
GetModuleHandleA
lstrcatW
CreateToolhelp32Snapshot
GetWindowsDirectoryW
VirtualFree
VirtualAlloc
LoadLibraryA
VirtualProtect
WideCharToMultiByte
GetExitCodeProcess
WaitForMultipleObjects
KERNEL32.dll
wsprintfW
ExitWindowsEx
wsprintfA
USER32.dll
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CredFree
CredEnumerateW
SetThreadToken
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
GetSidSubAuthority
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
SetTokenInformation
DuplicateTokenEx
InitiateSystemShutdownExW
CreateProcessAsUserW
ADVAPI32.dll
CommandLineToArgvW
SHGetFolderPathW
SHELL32.dll
StringFromCLSID
CoCreateGuid
CoTaskMemFree
ole32.dll
CryptDecodeObjectEx
CryptStringToBinaryW
CryptBinaryToStringW
CRYPT32.dll
PathFindExtensionW
StrStrIW
PathCombineW
StrStrW
StrCatW
StrChrW
StrToIntW
StrCmpIW
StrCmpW
PathFileExistsW
PathFindFileNameW
PathAppendW
SHLWAPI.dll
GetIpNetTable
GetAdaptersInfo
IPHLPAPI.DLL
WS2_32.dll
WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW
WNetCancelConnection2W
WNetAddConnection2W
MPR.dll
NetServerEnum
NetApiBufferFree
NetServerGetInfo
NETAPI32.dll
DhcpRpcFreeMemory
DhcpGetSubnetInfo
DhcpEnumSubnets
DhcpEnumSubnetClients
DHCPSAPI.DLL
msvcrt.dll
memcpy
malloc
memset
perfc.dat
bHbGcDiHpY`
!This program cannot be run in DOS mode.
`.rdata
@.data
@.rsrc
@.reloc
QSVh< 
FindResourceW
LoadResource
CreateProcessW
HeapAlloc
HeapFree
GetProcessHeap
WriteFile
SizeofResource
CreateFileW
LockResource
CloseHandle
KERNEL32.dll
IsProcessorFeaturePresent
'020D0S0^0o0
0&1B1N1x1
252>2p2
2,3D3K3S3X3\3`3
3:4@4D4H4L4
575i5p5t5x5|5
!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
fffffff
fffffff
CreateProcessW
CloseHandle
WriteFile
CreateFileW
HeapFree
HeapAlloc
GetProcessHeap
SizeofResource
LockResource
LoadResource
FindResourceW
KERNEL32.dll
p"1R<7&%= 9R" =5 3?RC\Brp>3<?3<C\Brp%
rp>?C\@*BB@rp>3<?3<@\Crp<&R>?RB\C@r
sssss$s
sSsAsCsCsCsSsAsBsJsFsss$s
sSsAsCsCsCsSsFs]sCsss
u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu
%y%u%l%u%`%y%%%%% %.&5%%%m%%%$%%%
5%%%%$%%%%%$%
'$G%%%%!x
5mE'%%%
RVWfPfS
PfXfYf
0123456789abcdef
  Repairing file system on C: 
  The type of the file system is NTFS.
  One of your disks contains errors and needs to be repaired. This process
  may take several hours to complete. It is strongly recommended to let it
  complete.
  WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD
  DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED
  CHKDSK is repairing sector
Please reboot your computer!
 Decrypting sector
 Ooops, your important files are encrypted.
 If you see this text, then your files are no longer accessible, because they
 have been encrypted.  Perhaps you are busy looking for a way to recover your
 files, but don't waste your time.  Nobody can recover your files without our
 decryption service.
 We guarantee that you can recover all your files safely and easily.  All you
 need to do is submit the payment and purchase the decryption key.
 Please follow the instructions:
 1. Send $300 worth of Bitcoin to following address:
 2. Send your Bitcoin wallet ID and personal installation key to e-mail
    wowsmith123456@posteo.net. Your personal installation key:
 If you already purchased your key, please enter it below.
 Key: 
 Incorrect key! Please try again.
%)            
ERROR!
VN*]rjs
\~F.?'
"(dz1$
Lv r(%}
-n44}]Xg
8YMkwXp
;K,Ez=3X
^|2YC(j
X<O!hz
I5%NX@
{?jT((
oW8Ss.0=
"]ru+to
"f7^QKy
3VI9_*]QPs9
|o*>Cl
"b}#n[)
/} VN0
U~^9Q&o
4P<l`79
]-Z*%c^vp7+
?.W6tS3
qn:Ma/M
IKiUS2
}HabXm
+XKNk88
5	wH4E
8yv[V;@
Y{V<R"E
p(u9@%
7'^^d=z
cn-?~[
ABT~n.x
hg\NTN6D n&6
*(./%g
cC2M[{
/)"%d6Y@
*F%0&f
XO"S2<
%[i{Nu
TUlT5W[
U;dwGp3
]^odr;
_'TX'`_
:`;_H 
.EfZQ#?
p[WhXM&
5@<(ju
w7@R_"
P]'?/1o
h	#87{
t4[Uoc
RWE9"%@Tv
]~^17(9
RIdr{y
AP-lgt
GYTsp?
k@Nw>@
#3@d9T
t"7qw\Ry
M,&z/%:P
|8{Rhv
A}C\"OE
mGg.U`
ORj8EM
pN$k #l
9|A$o '
6HZ`zn
2T(+[W
8iu/juz
VlkO+0
1V{! ~
F|	=y=
	AS0/h
	RoBo[owo_
~>Td18
;AqpR;
UPm=H3
xi`~ [
]eBs|7F;BN}
An$y_',H
7Q3pWZOy|
XE$EuB
"t$b6.
`iQVHs
SgF~62
H;<f.PS
m}4IkkO
ngLx4mJF
) ?-N;
zxH=o_
3`|&lk
0p"X/x
$AA34B
v-KLHq
[?NJ0<
Z):B<DG
:[ WKR
;VC>;x
n7P~a')
1&-ec7
eSb_P<
k"),&N
`B$1!L
q;_Da7
{.^*Xu&22xw$
8	;5#rc
AZ?5&<f
jY<_LH
~I!vW#W
I<v(Sc
V8)E_k
Zi@#N!Y
BM@Gvk6
qQvTQFwI
^fvqLf
O"ZRhY
#u`v#a%B
|pynyN
2S1]-'e
ZdURkp
R`-a~L
9=lH@?z2
%uSM%J
RvgLOw
k}6H`!
vHG[v;
rWru#f
XL\TeO.)]>
*?Ja>Umo
I~;^T~
TtB;'ND3/a
/,dTzD
aKa3:+
+i%?E|U
]Y1B)rr
=0B{ ]{
/2rv${
)o>'~>P`
CnrX>s
Hs$z^SB
uE?u@m
V+oguU
J`]lPj4'
 :O+'`AJ_
Snc/v^-
uKTg"p9
j]*xPd
)B\by7
ChLn&R
W@b>+^DE\
	~%to\
hJaL(A40
+9g<BA
oKzh#]X
w9PA/9
_BEUw7
PHU*'-
:?e9D{
;`Xnr7
?cf]u*
'#QFX`
5Wkp7g/
~s#un/*
	;P~@t
g0r`M"
m&-	0AQ
Db#nh 
58\7:-G
 JyYAKw
u]$1WI
xm4|rj
6AsdZX
-05]iH
uD,r@nB
joA?Ro
)eaJ}QMMt7
=vNveC
D``#'^
5'Ue%5
+!kNHe%
rP^LfR
F<q|ou~
A\j72j
=Z/x:1
MlKm`)EG
 )P!c 
-`%q7f
M=T+-7
0JUUs?
|3Xh|N
n[]f}pxao
}"3e	gb
$f2Q!d 
(Hu0,@
&m1X~+
yR"[c3
$G#86{
#x`A)n
$!:33O
o=#q%@4
*;Q3>a
8+ IA(
>X_}ON}
R9WR>8
gFU|8TN
M|[<"YG
xr@YY 
gv%mx[
sA*L!L
J~k^~^QVQ
*!-4@y6DC(
DpjG30
hLLg10&#
HAUEVV
%jDWCZ^
un/!8|0
](J5]E
OUF2QG
T FlQ[D
xPEw8=]
obt,kKe
}\~$-v
Rd~MM1n
V)lahYA
{B-=sr'
} K(cT
,^b$wii
pwE-}B=X>
s7{]%u
uP~~Y<
v4cya/
m^E}#[
PH}:g]
)rUlt]
m~	}2~
qT*';A#
z1s]E-
/W*9@W)CD
[!ce"V&}
o(v<2=
!aA#^!
vav706}
mF#8sp-k
0'&`Q$]
;q%mY%
@wI84{
wHi7@i
/%~)l`
(Arsr%5
CmH<[G
WJp;I7
vK\kv/
5iP7K)S..
gO,r;R
AZw	fx-9
"b=W-+
bEU{/nL~
>C#QB{GK,
8Hz`4-
'[nx2=]
oY&ZUV
O_-fL~
goL6r6
JM^%C	
O\{X?x
BH:gSD
JW_=ik
Q>}2F*
]U3'[q
%p1ts 
)^mK/i
` ,w+?
C. <N;
3L#o4p
S*:AB5
1Lz+_@
:RTF6i
?e5^O(lA3!07`I7i
.Z.Rm~G
fS4@57
a":@s=
Hz{L"W
LLG;FW
;=9vyX 
7q6tBV
?0Z<+2
WO0'%jF
=5.21`
CmdAe/
Th&,19
v5p#v[p
k	,2N?B
S0vhD0
5_NL"*
ul1vAb1lf
tT,q7I*
P<{qA2
OYp9^F-
^MtEkFI
kYb2%nQ
[Cv=!D|x`f
y?SJa&=Z~
G)e-J|Y
D(X!^k
*UY|>Z
l}^mye
GOxh6C]
l:(Kg/2
&<d0J$
v3$T/t
qHsX0k
rlcG:W{
Nwa(qz
PA?UAo
j}=W7J
RRmqN5e!KI
rE8$9:`&
\CbNa{
"KKVcDL
lk]s&0
%foVcN~
DQVc	\O
}S?JZf
[=y:yG
ga|5~f
pO|hDG
PEwLj/2j0
/&B'-8T
6W?~1Ev
}	eqGw
w";}6W
N[\?$>r
[{rMz~
mq*)uXG
FoUPr$
gk.?fca7
Nh7&VuoM
-f~)@w]
w~kcT@
bB8H"t
xG]`Sjr
j&W	n;
FT$61E"M
cxP\W 
>Gd1!/1
inx[LB
X$.yr!
9W_?F~
<T&BclR|pa\pR
X]neuIcf
zH9:M~
+5wH-Q
.`h_iJR
1sb_AF
\,?{+$
&xND-}Mx
6?-=}Kq
j-8]vj
$81_D	gMe
UJC~GX> q
h^ZZ8kDx5w
X8RfZ:
W($7b@"
$0qu11
EpqG644WQs
_;W	>&n
wfD[J),
E%c=k	
nS!HI5
&&A2am!
]{/k[u
H8C=`C
0/I"IP|
DR,#iG
pQ4*d`]aY
*,]*74
IAAqAa
DAlA)0
^"[,l_
Q.`c:*
(q-c1]
PHyX3Wo
DO[/8S
0#L `B
6MZN%S
AZO<Kq*l*
)I>?fDzRi
TMXCYV
o`Of|q
kl_}	?O
nt_c>8ubN
(xY0x:
xtwQi~
cdu]45
q1iaGZ
S]C.w+
<GxpS)wN
-s/p5p
]Zn|1xp
8b:n^>*
U+Ra[D
6%&|9Z
R-XG"A
J	U^dJ
c+*y\QZ
&[-gwSs
l]$vz6s{,
?[j,S>}
%<PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
0!1B1L1
3!3B3V3`3w3
4?4E4b4u4
7)727F7Z7m7
748S8r8
8	9&949;9D9M9
;0;B;h;v;
<'<\<h<q<
=&=b=r=
>:>H>[>i>|>
>0???M?X?h?
6'676M6S6a6l6v6
7.797@7I7N7p7u7~7
;$;d;j;
2$2*202b2t2y2
4$4+444D4N4V4
5D5b5i5o5
6;6D6r6y6
7Y7u7z7
8 9(999?9H9P9X9]9
9"</<|</>
3"4,41484=4
8 9D9K9u9{9
: :c:w:
;1;8;j;p;
<;<\<a<g<
1&131[1z1
2]3u3|3
4)4=4R4p4
5!5*535^5c5h5s5z5
6#6N6Y6o6w6
7F7O7l7s7
8F8M8U8^8t8
<'<2<Q<k<s<
=#=)=G=M=}=
> >->>>C>J>T>Y>_>e>s>
?=?J?W?c?u?
0+080P0g0p0
1*161=1\1d1j1s1z1
2$262V2y2
2%3-333<3I3
455B5O5b5h5o5
9+959e9|9
:%:G:M:S:[:h:n:
;.;?;F;N;T;e;|;
<-<]<p<
=>=G=N=u={=
= >7>U>\>r>
>%?w?~?
/0@0j0{0
5 5+5D5Q5Z5a5f5
556>6V6v6
7#8.8<8A8U8
9"9c9s9
;;;V;];z;r<z<
<!=-=T=d=x=
?-?:?J?R?[?
273W3k3}3
=%>/?|?
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:
0!0-0<0T0[0g0v0
1'1?1F1R1a1
`=d=h=l=p=t=x=|=
;4<8<<<@<D<H<L<
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
070822223102Z
120825070000Z0y1
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Code Signing PCA0
Il/$>e
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Code Signing PCA0
091207224029Z
110307224029Z0
Washington1
Redmond1
Microsoft Corporation1
Microsoft Corporation0
3http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
,http://www.microsoft.com/pki/certs/CSPCA.crt0
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
060916010447Z
190915070000Z0y1
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA0
ipfx'f
N+"\hE
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA0
080725190115Z
130725191115Z0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:85D3-305C-5BCF1%0#
Microsoft Time-Stamp Service0
3http://crl.microsoft.com/pki/crl/products/tspca.crl0H
,http://www.microsoft.com/pki/certs/tspca.crt0
z?*[FS	<
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Code Signing PCA
*http://technet.microsoft.com/sysinternals 0
<z:\-:
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA
100427180659Z0#
&%o>!c