Analysis Overview
SHA256
0661acbceb4a5546dea66bfb65c77836e434db7bf4c22e9ac99df8f25cda5fb6
Threat Level: Known bad
The file 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.zip was found to be: Known bad.
Malicious Activity Summary
Detect HermeticWiper
Hermeticwiper family
Drops file in Drivers directory
Enumerates physical storage devices
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-12 04:15
Signatures
Detect HermeticWiper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hermeticwiper family
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-12 04:15
Reported
2023-07-12 04:25
Platform
win7-20230703-en
Max time kernel
582s
Max time network
401s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Drivers\jldr | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\jldr | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| File created | C:\Windows\system32\Drivers\jldr.sys | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe
"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitDeny.mpp
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\SearchBackup.vbe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SearchBackup.vbe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-12 04:15
Reported
2023-07-12 04:25
Platform
win10v2004-20230703-en
Max time kernel
495s
Max time network
504s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Drivers\zddr | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\zddr | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| File created | C:\Windows\system32\Drivers\zddr.sys | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe
"C:\Users\Admin\AppData\Local\Temp\3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.155:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.155:443 | assets.msn.com | tcp |