| RSS

accounting outsourcing in ukraine

Форум

Добро пожаловать, гость 

Показать / спрятать

Добро пожаловать, гость! Для участия в форуме требуется регистрация.





Страниц: [1]
Автор Тема: New ransomware, old techniques: Petya adds worm capabilities
admin
Администратор
Сообщения: 1396
Permalink
Сообщение New ransomware, old techniques: Petya adds worm capabilities
 June 29, 2017, 12:52
Цитата

On June 27, 2017 reports of a <a href="https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx" target="_blank">ransomware</a> infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.

The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of <a href="https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya" target="_blank">Ransom:Win32/Petya</a>. This new strain of ransomware, however, is more sophisticated.

To protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including <a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10" target="_blank">Windows Defender Antivirus</a> and Microsoft Security Essentials. You can download the latest version of these files manually at the <a href="https://www.microsoft.com/security/portal/definitions/adl.aspx" target="_blank">Malware Protection Center</a>.

<a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Windows Defender Advanced Threat Protection</a> (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.
<h2>Delivery and installation</h2>
Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, <a href="https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/" target="_blank">software supply chain attacks</a> are a recent dangerous trend with attackers, and it requires advanced defense.

We observed telemetry showing the MEDoc software updater process (<em>EzVit.exe)</em> executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.

The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that<em> EzVit.exe</em> process from MEDoc, for unknown reasons, at some moment executed the following command-line:

<em>C:\Windows\system32\rundll32.exe” ”C:\ProgramData\perfc.dat”,#1 30</em>

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/129.png" alt="" width="1846" height="1048" />

The same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.
<h2>A single ransomware, multiple lateral movement techniques</h2>
Given this new ransomware’s added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:
<ul>
<li>stealing credentials or re-using existing active sessions</li>
<li>using file-shares to transfer the malicious file across machines on the same network</li>
<li>using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines</li>
</ul>
In the next sections, we discuss the details of each technique.
<h2>Lateral movement using credential theft and impersonation</h2>
This ransomware drops a credential dumping tool (typically as a .tmp file in the <em>%Temp%</em> folder) that shares code similarities with <a href="https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz" target="_blank">Mimikatz</a> and comes in 32-bit and 64-bit variants.  Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.

Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports <em>tcp/139</em> and <em>tcp/445</em>. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call <em>DhcpEnumSubnets()</em> to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using <em>DhcpEnumSubnetClients()</em>) for scanning for <em>tcp/139</em> and <em>tcp/445</em> services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.

It then tries to execute remotely the malware using either PSEXEC or WMIC tools.

The ransomware attempts to drop the legitimate <em>psexec.exe</em> (typically renamed to <em>dllhost.dat</em>) from an embedded resource within the malware.  It then scans the local network for <em>admin$</em> shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.

In addition to credential dumping, the malware also tries to steal credentials by using the <em>CredEnumerateW</em> function to get all the other user credentials potentially stored on the credential store. If a credential name starts with <em>“TERMSRV/”</em> and the type is set as 1 (generic) it uses that credential to propagate through the network.

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-access-admin.png" alt="" width="702" height="580" />

<em>Ransomware code responsible for accessing \Admin$ shares on different machines</em>

This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using <em>NetEnum/NetAdd</em>) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-wmic.png" alt="" width="895" height="233" />

<em>Screenshot showing launch of malware on a remote machine using WMIC</em>
<h2>Lateral movement using EternalBlue and EternalRomance</h2>
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144" target="_blank">CVE-2017-0144</a> (also known as EternalBlue), which was fixed in <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">security update MS17-010</a> and was also exploited by <a href="https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/" target="_blank">WannaCrypt</a> to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145" target="_blank">CVE-2017-0145</a> (also known as EternalRomance, and fixed by the same bulletin).

We’ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all <em>XOR 0xCC</em> encrypted) to trigger these vulnerabilities at the following address of the malware code:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-smb-packet.png" alt="" width="679" height="274" />

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-smb-packet-2.png" alt="" width="790" height="319" />

These two exploits were leaked by a group called <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/" target="_blank">Shadow Brokers</a>. However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">security update MS17-010</a> on March 14, 2017.

Machines that are patched against these exploits (with <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">security update MS17-010</a>) or <a href="https://support.microsoft.com/kb/2696547" target="_blank">have disabled SMBv1</a> are not affected by this particular spreading mechanism. Please refer to our previous <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/" target="_blank">blog</a> for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.
<h2>Encryption</h2>
This ransomware’s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-encryption-1.png" alt="" width="716" height="651" />
<ul>
<li><em>0x6403527E </em>or <em>0x651B3005</em> – if these hashes of process names are found running on the machine, then the ransomware does not infect the MBR</li>
</ul>
<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-encryption-2.png" alt="" width="674" height="324" />
<ul>
<li><em>0x2E214B44  </em>– if a process with this hashed name is found, the ransomware does not carry out any of its network-related actions (such as attempting to exploit the SMBv1 vulnerability)</li>
</ul>
<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-encryption-3.png" alt="" width="464" height="54" />

This ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random <em>(GetTickCount())</em>. For example:

<em>schtasks /Create /SC once /TN “” /TR “<system folder>shutdown.exe /r /f” /ST 14:23</em>

After successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-fake-message.png" alt="" width="640" height="400" />

It then displays this ransom note:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-ransom-note.png" alt="" width="640" height="400" />

Only if the malware is running with highest privilege (i.e., with <em>SeDebugPrivilege</em> enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for <em>C:Windows</em>:
<table>
<tbody>
<tr>
<td width="156">.3ds</td>
<td width="156">.7z</td>
<td width="156">.accdb</td>
<td width="156">.ai</td>
</tr>
<tr>
<td width="156">.asp</td>
<td width="156">.aspx</td>
<td width="156">.avhd</td>
<td width="156">.back</td>
</tr>
<tr>
<td width="156">.bak</td>
<td width="156">.c</td>
<td width="156">.cfg</td>
<td width="156">.conf</td>
</tr>
<tr>
<td width="156">.cpp</td>
<td width="156">.cs</td>
<td width="156">.ctl</td>
<td width="156">.dbf</td>
</tr>
<tr>
<td width="156">.disk</td>
<td width="156">.djvu</td>
<td width="156">.doc</td>
<td width="156">.docx</td>
</tr>
<tr>
<td width="156">.dwg</td>
<td width="156">.eml</td>
<td width="156">.fdb</td>
<td width="156">.gz</td>
</tr>
<tr>
<td width="156">.h</td>
<td width="156">.hdd</td>
<td width="156">.kdbx</td>
<td width="156">.mail</td>
</tr>
<tr>
<td width="156">.mdb</td>
<td width="156">.msg</td>
<td width="156">.nrg</td>
<td width="156">.ora</td>
</tr>
<tr>
<td width="156">.ost</td>
<td width="156">.ova</td>
<td width="156">.ovf</td>
<td width="156">.pdf</td>
</tr>
<tr>
<td width="156">.php</td>
<td width="156">.pmf</td>
<td width="156">.ppt</td>
<td width="156">.pptx</td>
</tr>
<tr>
<td width="156">.pst</td>
<td width="156">.pvi</td>
<td width="156">.py</td>
<td width="156">.pyc</td>
</tr>
<tr>
<td width="156">.rar</td>
<td width="156">.rtf</td>
<td width="156">.sln</td>
<td width="156">.sql</td>
</tr>
<tr>
<td width="156">.tar</td>
<td width="156">.vbox</td>
<td width="156">.vbs</td>
<td width="156">.vcb</td>
</tr>
<tr>
<td width="156">.vdi</td>
<td width="156">.vfd</td>
<td width="156">.vmc</td>
<td width="156">.vmdk</td>
</tr>
<tr>
<td width="156">.vmsd</td>
<td width="156">.vmx</td>
<td width="156">.vsdx</td>
<td width="156">.vsv</td>
</tr>
<tr>
<td width="156">.work</td>
<td width="156">.xls</td>
<td width="156">.xlsx</td>
<td width="156">.xvd</td>
</tr>
<tr>
<td width="156">.zip</td>
<td width="156"></td>
<td width="156"></td>
<td width="156"></td>
</tr>
</tbody>
</table>
It uses file mapping APIs instead of a usual <em>ReadFile()</em>/<em>WriteFile()</em> APIs:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-file-mapping-API.png" alt="" width="925" height="276" />

Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.

The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-rsa-public-encryption-key.png" alt="" width="598" height="382" />

<em>Embedded RSA public key</em>

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-aes-128-key.png" alt="" width="1115" height="521" />

<em>Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export</em>

The unique key used for files encryption (AES) is added, in encrypted form, to the <em>README.TXT</em> file the threat writes under section <em>“Your personal installation key:”</em>.

Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with <em>SeShutdownPrivilege</em> or <em>SeDebugPrivilege</em> or <em>SeTcbPrivilege</em> privilege, it  overwrites the MBR of the victim’s machine. It directly accesses the <em>drive0 \\.\PhysicalDrive0</em> as described in the following code snapshots:

MBR overwrite pseudo code:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/MBR.png" alt="" width="1003" height="425" />

Overwriting the first sector of VBR:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/VBR.png" alt="" width="1059" height="539" />

After completing its encryption routine, this ransomware drops a text file called <em>README.TXT</em> in each fixed drive. The said file has the following text:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-readme.png" alt="" width="878" height="355" />

This ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.
<h2>Detection and investigation with Windows Defender Advanced Threat Protection</h2>
<a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Windows Defender Advanced Threat Protection</a> (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of <em>PsExec.exe</em> with different filename, and the creation of the <em>perfc.dat</em> file in remote shares (UNC) paths.

Today, without the need of additional updates, an infected machine may look like this:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-windows-defender-ATP1.png" alt="" width="1901" height="837" />

The second alert targets the distribution of the ransomware’s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely.  This user has been compromised and could represent the user associated with patient-zero:

<img src="https://msdnshared.blob.core.windows.net/media/2017/06/petya-windows-defender-ATP2.png" alt="" width="1890" height="1024" />

With Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.
<h2>Protection against this new ransomware attack</h2>
Keeping your <a href="https://www.microsoft.com/en-us/windows/windows-10-upgrade" target="_blank">Windows 10</a> <a href="http://www.microsoft.com/security/portal/mmpc/help/updatesoftware.aspx" target="_blank">up-to-date</a> gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/" target="_blank">hardened Windows 10 against ransomware attacks</a> by introducing new next-gen technologies and enhancing existing ones.

As another layer of protection, <a href="https://www.microsoft.com/en-us/windows/windows-10-s" target="_blank">Windows 10 S</a> only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.

We recommend customers that have not yet installed security update <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">MS17-010</a> to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
<ul>
<li>Disable SMBv1 with the steps documented at <a href="https://support.microsoft.com/kb/2696547" target="_blank">Microsoft Knowledge Base Article 2696547</a> and as <a href="https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/" target="_blank">recommended previously</a></li>
<li>Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445</li>
</ul>
As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and <a href="https://www.microsoft.com/security/portal/definitions/adl.aspx" target="_blank">apply definition updates</a>.

Windows Defender Antivirus detects this threat as <a href="https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya" target="_blank">Ransom:Win32/Petya</a> as of the <a href="https://www.microsoft.com/security/portal/definitions/adl.aspx" target="_blank">1.247.197.0 update</a>. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

For enterprises, use <a href="https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide">Device Guard</a> to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.

Monitor networks with <a href="http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp">Windows Defender Advanced Threat Protection</a>, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: <a href="https://www.microsoft.com/en-us/download/details.aspx?id=55090">Windows Defender Advanced Threat Protection – Ransomware response playbook</a>.
<h2>Resources</h2>
Next-generation ransomware protection with Windows 10 Creators Update: <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/" target="_blank">https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/</a>

Download English language security updates: <a href="http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe">Windows Server 2003 SP2 x64</a>, <a href="http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe">Windows Server 2003 SP2 x86,</a> <a href="http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe">Windows XP SP2 x64</a>, <a href="http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe">Windows XP SP3 x86</a>, <a href="http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe">Windows XP Embedded SP3 x86</a>, <a href="http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu">Windows 8 x86,</a> <a href="http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu">Windows 8 x64</a>

Download localized language security updates: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e">Windows Server 2003 SP2 x64</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9">Windows Server 2003 SP2 x86</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa">Windows XP SP2 x64</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f">Windows XP SP3 x86</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add">Windows XP Embedded SP3 x86</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340">Windows 8 x86</a>, <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0">Windows 8 x64</a>

MS17-010 Security Update: <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</a>

General information on ransomware: <a href="https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx" target="_blank">https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx</a>
<h2>Indicators of Compromise</h2>
Network defenders may search for the following indicators:

File Indicators
<ul>
<li>34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d</li>
<li>9717cfdc2d023812dbc84a941674eb23a2a8ef06</li>
<li>38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf</li>
<li>56c03d8e43f50568741704aee482704a4f5005ad</li>
</ul>
Command Lines

In environments where command-line logging is available, the following command lines may be searched:
<ul>
<li>Scheduled Reboot Task:  Petya schedules a reboot for a random time between 10 and 60 minutes from the current time
<ul>
<li>schtasks /Create /SC once /TN “” /TR “<system folder>shutdown.exe /r /f” /ST <time></li>
<li>cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:Windowssystem32shutdown.exe /r /f” /ST <time></li>
</ul>
</li>
</ul>
This may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.
<ul>
<li>Lateral Movement (Remote WMI)
<ul>
<li>“process call create ”C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1”</li>
</ul>
</li>
</ul>
Network indicators

In environments where NetFlow data are available, this ransomware’s subnet-scanning behavior may be observed by looking for the following:
<ul>
<li>Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope</li>
<li>Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes</li>
</ul>
(c) <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/">microsoft.com</a>

Страниц: [1]
Mingle Forum by cartpauj
Версия: 1.0.34 ; Страница загружена за 0.032 секунд.

(с) Banknews

»Главная страница«

Оставить комментарий
4083622 просмотров, 348 - сегодня

Комментарии закрыты.





<