Analysis Overview
SHA256
84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
Threat Level: Known bad
The file 84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18 was found to be: Known bad.
Malicious Activity Summary
Detect HermeticWiper
Detect HermeticWizard
Hermeticwiper family
Drops file in Drivers directory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-07-01 02:20
Signatures
Detect HermeticWiper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect HermeticWizard
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hermeticwiper family
Analysis: behavioral8
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win10v2004-20220414-en
Max time kernel
153s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1496 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1496 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 104.80.229.133:80 | tcp | |
| NL | 104.80.229.133:80 | tcp | |
| NL | 104.80.229.133:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
Files
memory/868-130-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win7-20220414-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1668 wrote to memory of 1944 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll
Network
Files
memory/1668-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp
memory/1944-55-0x0000000000000000-mapping.dmp
memory/1944-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 4116 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2136 wrote to memory of 4116 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2136 wrote to memory of 4116 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll
Network
| Country | Destination | Domain | Proto |
| AU | 104.46.162.224:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
memory/4116-130-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win7-20220414-en
Max time kernel
30s
Max time network
44s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1
Network
Files
memory/1744-54-0x0000000000000000-mapping.dmp
memory/1744-55-0x0000000076451000-0x0000000076453000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win10v2004-20220414-en
Max time kernel
158s
Max time network
162s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4772 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4772 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4772 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
Files
memory/2068-130-0x0000000000000000-mapping.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win7-20220414-en
Max time kernel
43s
Max time network
47s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 756 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1
Network
Files
memory/852-54-0x0000000000000000-mapping.dmp
memory/852-55-0x0000000075941000-0x0000000075943000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win7-20220414-en
Max time kernel
32s
Max time network
46s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Drivers\zddr | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\zddr | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| File created | C:\Windows\system32\Drivers\zddr.sys | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe
"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"
Network
Files
memory/1692-54-0x00000000763E1000-0x00000000763E3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-07-01 02:20
Reported
2022-07-01 02:40
Platform
win10v2004-20220414-en
Max time kernel
144s
Max time network
159s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Drivers\pvdr | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\pvdr | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| File created | C:\Windows\system32\Drivers\pvdr.sys | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe
"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.11:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |