Just correlating all the useful information I can find with regards to the latest Petya Ransomware attack.
Behaviour
<Ignored Process>
rundll32.exe C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1" (PID: 2880)
cmd.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2724)
schtasks.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2720)
FE04.tmp %TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}" (PID: 1968)
dllhost.dat %WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"" (PID: 2512) 1/59 Seen in another context
cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: (PID: 2072)
wevtutil.exe wevtutil cl Setup (PID: 2204)
wevtutil.exe wevtutil cl System (PID: 2128)
wevtutil.exe wevtutil cl Security (PID: 4016)
wevtutil.exe wevtutil cl Application (PID: 3988)
fsutil.exe fsutil usn deletejournal /D C: (PID: 1368)
shutdown.exe %WINDIR%\system32\shutdown.exe" /r /f" (PID: 2796)
Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp. pic.twitter.com/CHUYvsiQ08
— Costin Raiu (@craiu) 27 June 2017
New Petrwrap/Petya ransomware has a fake Microsoft digital signature appended. Copied from Sysinternals Utils. pic.twitter.com/HFwA1cyoyN
— Costin Raiu (@craiu) 27 June 2017
https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know
Another good analysis from Kaspersky
How does the ransomware spread?
To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.
Other observed infection vectors include:
- A modified EternalBlue exploit, also used by WannaCry.
- The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
- An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.
Cloaking Itself in Legitimate Code
Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.
In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.
https://minerva-labs.com/post/new-petya-ransomware-attack-prevented-by-minerva