I'm hoping I'm not the only one confused by this... We still have systems reporting on QID 1037, Petya Ransomware Detected (Pre-Reboot), and it's the pre-reboot part that has me confused.
My understanding is that once a system is infected with Petya, it is destined for a forced reboot as follows:
"/c at 00:49 C:\Windows\system32\shutdown.exe /r /f"
I'm not sure if in Powershell that means the reboot happens in 49 minutes or at 12:49 AM but, no matter what, doesn't that mean that Petya can only be alive on a host for a very short amount of time before the reboot happens?
And if this is the case, how can an infected host show QID 1037 with a LastScanDate of July 13, 2017 but a FirstFound date of May 18, 2017? Assuming the system was first infected on or before May 18, 2017, wouldn't it have been rebooted and game over almost immediately?
Thanks to all!