hermeticwiper | 9e3f2ba8ae13ff79afca0409f01722ee267656cffec025b072c5e68aa728e039 | Triage

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-08-2022 20:23

Sharing

Report Analysis Logs

General

Target

933ba58d475ac553de2d58afbba9e272.exe
Size

114KB
MD5

933ba58d475ac553de2d58afbba9e272
SHA1

41deeed3204bd68b6a8d4deea8729b93338dedf9
SHA256

9e3f2ba8ae13ff79afca0409f01722ee267656cffec025b072c5e68aa728e039
SHA512

b0255df183c39340b3b91f69bd15d678e6d8ecad5e36fb0b032ae2dc18e2f35e2a4716720abd521e1ee2ca1b77c5fda8da146843ad79806ce65ad2dde0b33948
SSDEEP

1536:iruRPmNmWDurilmw9BgjKu1sPPxaS4jqY:iruRPmtDxlPwV16PkS4jqY

Score

10^/10

hermeticwiper wiper

Malware Config

Signatures

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

Processes:

resource	yara_rule
behavioral1/memory/1816-56-0x0000000000AC0000-0x0000000000ADF000-memory.dmp	family_hermeticwiper

HermeticWiper
HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.
wiper hermeticwiper
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

548 1816 WerFault.exe 933ba58d475ac553de2d58afbba9e272.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

933ba58d475ac553de2d58afbba9e272.exe

description	pid	process	target process
PID 1816 wrote to memory of 548	1816	933ba58d475ac553de2d58afbba9e272.exe	WerFault.exe
PID 1816 wrote to memory of 548	1816	933ba58d475ac553de2d58afbba9e272.exe	WerFault.exe
PID 1816 wrote to memory of 548	1816	933ba58d475ac553de2d58afbba9e272.exe	WerFault.exe
PID 1816 wrote to memory of 548	1816	933ba58d475ac553de2d58afbba9e272.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\933ba58d475ac553de2d58afbba9e272.exe
"C:\Users\Admin\AppData\Local\Temp\933ba58d475ac553de2d58afbba9e272.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 116
  2⤵
  - Program crash
  PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-55-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download
memory/1816-56-0x0000000000AC0000-0x0000000000ADF000-memory.dmp

Filesize
124KB

Download