Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | e6b3913e-4cc8-4dcc-8054-0c7c0163e972 |
| Fingerprint | 86059b5f69e59281 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 9, 2022, midnight |
| Added to db | Nov. 20, 2023, 12:58 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER |
| Title | Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 68/2/24 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 47 | elastic.co |
|
| Details | Domain | 99 | therecord.media |
|
| Details | Domain | 5 | opencorporates.com |
|
| Details | Domain | 2 | www.easeus.com |
|
| Details | Domain | 281 | docs.microsoft.com |
|
| Details | File | 5 | epmntdrv.sys |
|
| Details | sha256 | 23 | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 |
|
| Details | sha256 | 18 | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da |
|
| Details | sha256 | 11 | 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 |
|
| Details | sha256 | 11 | 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf |
|
| Details | Pdb | 1 | tdrv.pdb |
|
| Details | Url | 4 | https://twitter.com/esetresearch/status/1496581903205511181 |
|
| Details | Url | 1 | https://twitter.com/juanandres_gs/status/1496607141888724997 |
|
| Details | Url | 1 | https://elastic.co/security-labs/operation-bleeding-bear |
|
| Details | Url | 1 | https://therecord.media/microsoft-data-wiping-malware-disguised-as-ransomware-targets-ukraine-again |
|
| Details | Url | 1 | https://opencorporates.com/companies/cy/he419469 |
|
| Details | Url | 1 | https://www.easeus.com/partition-manager |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/devio/device-input-and-output-control-ioctl- |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getdiskfreespacew |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-findresourcew |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadresource |
|
| Details | Yara rule | 1 | rule Windows_Wiper_HERMETICWIPER {
meta:
Author = "Elastic Security"
creation_date = "2022-02-24"
last_modified = "2022-02-24"
os = "Windows"
arch = "x86"
category_type = "Wiper"
family = "HERMETICWIPER"
threat_name = "Windows.Wiper.HERMETICWIPER"
description = "Detects HERMETICWIPER used to target Ukrainian organization"
reference_sample = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
strings:
$a1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$a2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$a3 = "tdrv.pdb" ascii fullword
$a4 = "%s%.2s" wide fullword
$a5 = "ccessdri" ascii fullword
$a6 = "Hermetica Digital"
condition:
all of them
} |