Malware Analysis Report

2024-09-23 07:03

Sample ID 230712-evbfasch3x
Target 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.zip
SHA256 0661acbceb4a5546dea66bfb65c77836e434db7bf4c22e9ac99df8f25cda5fb6
Tags
wiper hermeticwiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0661acbceb4a5546dea66bfb65c77836e434db7bf4c22e9ac99df8f25cda5fb6

Threat Level: Known bad

The file 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.zip was found to be: Known bad.

Malicious Activity Summary

wiper hermeticwiper

Detect HermeticWiper

Hermeticwiper family

Drops file in Drivers directory

Enumerates physical storage devices

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-07-12 04:15

Signatures

Detect HermeticWiper

wiper
Description Indicator Process Target
N/A N/A N/A N/A

Hermeticwiper family

hermeticwiper

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 04:15

Reported

2023-07-12 04:25

Platform

win7-20230703-en

Max time kernel

582s

Max time network

401s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\jldr C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A
File opened for modification C:\Windows\system32\Drivers\jldr C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A
File created C:\Windows\system32\Drivers\jldr.sys C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe

"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitDeny.mpp

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\SearchBackup.vbe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SearchBackup.vbe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 04:15

Reported

2023-07-12 04:25

Platform

win10v2004-20230703-en

Max time kernel

495s

Max time network

504s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\zddr C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A
File opened for modification C:\Windows\system32\Drivers\zddr C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A
File created C:\Windows\system32\Drivers\zddr.sys C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe

"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.155:443 assets.msn.com tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.155:443 assets.msn.com tcp

Files

N/A