{ "Event": { "analysis": "0", "date": "2022-02-24", "extends_uuid": "56cb2bd3-5525-46bd-a454-ea895a5b4d0d", "info": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine", "publish_timestamp": "1664880606", "published": true, "threat_level_id": "1", "timestamp": "1664880605", "uuid": "b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046", "Orgc": { "name": "Centre for Cyber security Belgium", "uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:target-information=\"Ukraine\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#054300", "name": "admiralty-scale:source-reliability=\"a\"" }, { "colour": "#0eb100", "name": "admiralty-scale:information-credibility=\"1\"" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979", "value": "231b3385ac17e41c5bb1b1fcb59599c4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "dc288e70-bf4b-46cc-84aa-515e39f3b433", "value": "095a1678021b034903c85dd5acb447ad" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "e499240c-bfd1-4e5b-a70b-244c11d69053", "value": "eb845b7a16ed82bd248e395d9852f467" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645688022", "to_ids": false, "type": "link", "uuid": "194c007c-eb84-4987-ae29-4dca3b02db47", "value": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/" }, { "category": "Artifacts dropped", "comment": "Effectively disables crash dumps before the abused driver's execution starts", "deleted": false, "disable_correlation": true, "timestamp": "1645688123", "to_ids": false, "type": "regkey|value", "uuid": "8c55aae8-9ee3-4488-93e8-ee3998518fce", "value": "SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled|0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645688459", "to_ids": true, "type": "filename", "uuid": "85ca7a94-fcfb-4097-affc-0b102ae4dff5", "value": "empntdrv.sys" } ], "Object": [ { "comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1645687145", "uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1645687142", "to_ids": false, "type": "link", "uuid": "df316954-b61d-436a-8804-d2f38a368eeb", "value": "https://www.virustotal.com/gui/file/0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da/detection/f-0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da-1645685791" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1645687145", "to_ids": false, "type": "text", "uuid": "8becd4d8-0f4c-429a-a3d4-9e33ac8f55c5", "value": "8/71" } ] }, { "comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "deleted": false, "description": "File object describing a file with meta-information", "first_seen": "2022-02-24T06:35:51+00:00", "last_seen": "2022-02-24T06:35:51+00:00", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687295", "uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023", "ObjectReference": [ { "comment": "", "object_uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023", "referenced_uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114", "relationship_type": "analysed-with", "timestamp": "1664880605", "uuid": "dcd014f8-ccb2-4885-8563-6f2799ffd2a2" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687295", "to_ids": true, "type": "md5", "uuid": "ec4a3df5-9479-4468-a990-a3f97ff69a1b", "value": "84ba0197920fd3e2b7dfa719fee09d2f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1645687295", "to_ids": true, "type": "sha1", "uuid": "27637845-3dbd-4454-ad6c-51b7d05e22e9", "value": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1645687295", "to_ids": true, "type": "sha256", "uuid": "2b89b426-8ae3-483c-8a10-46acc4b9a441", "value": "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da" } ] }, { "comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1645687548", "uuid": "d9a1332e-3511-4417-97c8-f30621513106", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1645687548", "to_ids": false, "type": "link", "uuid": "bafabadb-48ca-48a7-b192-ed30a1ffc57c", "value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/detection/f-1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591-1645686225" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1645687545", "to_ids": false, "type": "text", "uuid": "fecf0286-1c32-478d-93e3-507253b34c26", "value": "28/71" } ] }, { "comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687557", "uuid": "df7db285-8f67-49a0-a570-360c55604d2c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687557", "to_ids": true, "type": "md5", "uuid": "b5d4be4e-d2cf-479b-90bf-6ad348b213dd", "value": "3f4a16b29f2f0532b7ce3e7656799125" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1645687554", "to_ids": true, "type": "sha1", "uuid": "6f40134d-c3f6-45b0-bea8-10bcb3b68b1e", "value": "61b25d11392172e587d8da3045812a66c3385451" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1645687551", "to_ids": true, "type": "sha256", "uuid": "127e284e-9f47-46f6-a14d-118e7e59309a", "value": "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687512", "uuid": "6e410e9b-426b-49ce-a8b9-4efdf1656f24", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687512", "to_ids": true, "type": "md5", "uuid": "104e8a29-d087-4540-bcaa-ee455e21a157", "value": "a952e288a1ead66490b3275a807f52e5" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "5", "timestamp": "1645688599", "uuid": "c908378a-8f2a-49e1-b592-306424bd139b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1645688599", "to_ids": false, "type": "comment", "uuid": "f596d739-c866-436a-9f94-f0694db7a401", "value": "HermeticWiper - broad hunting rule" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1645688599", "to_ids": false, "type": "text", "uuid": "d47e6fda-a832-4855-8c6f-f2d3dc912138", "value": "disk" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1645688599", "to_ids": true, "type": "yara", "uuid": "87bdab8d-c1f2-4996-86b6-b0c9ef9536eb", "value": "rule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \"HermeticWiper - broad hunting rule\"\r\n author = \"Friends @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.23.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n strings:\r\n $string1 = \"DRV_XP_X64\" wide ascii nocase\r\n $string2 = \"EPMNTDRV\\\\%u\" wide ascii nocase\r\n $string3 = \"PhysicalDrive%u\" wide ascii nocase\r\n $cert1 = \"Hermetica Digital Ltd\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1645688599", "to_ids": false, "type": "text", "uuid": "045e7288-a031-4613-bd58-6b839f4fd53a", "value": "MAL_HERMETIC_WIPER" } ] } ] } }