Malware Analysis Report

2024-09-23 07:05

Sample ID 220701-csfwwsgabp
Target 84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
SHA256 84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
Tags
worm wiper hermeticwiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18

Threat Level: Known bad

The file 84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18 was found to be: Known bad.

Malicious Activity Summary

worm wiper hermeticwiper

Detect HermeticWiper

Detect HermeticWizard

Hermeticwiper family

Drops file in Drivers directory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-01 02:20

Signatures

Detect HermeticWiper

wiper
Description Indicator Process Target
N/A N/A N/A N/A

Detect HermeticWizard

worm
Description Indicator Process Target
N/A N/A N/A N/A

Hermeticwiper family

hermeticwiper

Analysis: behavioral8

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
NL 178.79.208.1:80 tcp
US 20.42.73.26:443 tcp
IE 20.54.110.249:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 104.80.229.133:80 tcp
NL 104.80.229.133:80 tcp
NL 104.80.229.133:80 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp

Files

memory/868-130-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win7-20220414-en

Max time kernel

45s

Max time network

49s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1668 wrote to memory of 1944 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

Network

N/A

Files

memory/1668-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

memory/1944-55-0x0000000000000000-mapping.dmp

memory/1944-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 4116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2136 wrote to memory of 4116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2136 wrote to memory of 4116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\files\Manager.dll

Network

Country Destination Domain Proto
AU 104.46.162.224:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

memory/4116-130-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win7-20220414-en

Max time kernel

30s

Max time network

44s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

Network

N/A

Files

memory/1744-54-0x0000000000000000-mapping.dmp

memory/1744-55-0x0000000076451000-0x0000000076453000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win10v2004-20220414-en

Max time kernel

158s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4772 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4772 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderA.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/2068-130-0x0000000000000000-mapping.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win7-20220414-en

Max time kernel

43s

Max time network

47s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\spreaderB.dll,#1

Network

N/A

Files

memory/852-54-0x0000000000000000-mapping.dmp

memory/852-55-0x0000000075941000-0x0000000075943000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win7-20220414-en

Max time kernel

32s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\zddr C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
File opened for modification C:\Windows\system32\Drivers\zddr C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
File created C:\Windows\system32\Drivers\zddr.sys C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe

"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"

Network

N/A

Files

memory/1692-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-01 02:20

Reported

2022-07-01 02:40

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\pvdr C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
File opened for modification C:\Windows\system32\Drivers\pvdr C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
File created C:\Windows\system32\Drivers\pvdr.sys C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe

"C:\Users\Admin\AppData\Local\Temp\files\Wiper.exe"

Network

Country Destination Domain Proto
US 20.189.173.11:443 tcp
BE 8.238.110.126:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp

Files

N/A