MAR-10375867-1.v1 – HermeticWiper | CISA
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Direct Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | f0a58e52-960f-470c-a1a5-d79d7d55a697 |
| Fingerprint | ed1089d6452b23ab |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 28, 2022, noon |
| Added to db | Feb. 24, 2023, 1:22 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | MAR-10375867-1.v1 – HermeticWiper |
| Title | MAR-10375867-1.v1 – HermeticWiper | CISA |
| Detected Hints/Tags/Attributes | 61/2/30 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.cisa.gov/news-events/analysis-reports/ar22-115a |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 85 | ✔ | — | https://cisa.gov/uscert/ncas/analysis-reports.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 2 | dr.sys |
|
| Details | File | 5 | epmntdrv.sys |
|
| Details | md5 | 2 | 382fc1a3c5225fceb672eea13f572a38 |
|
| Details | md5 | 2 | decc2726599edcae8d1d1d0ca99d83a6 |
|
| Details | md5 | 3 | 84ba0197920fd3e2b7dfa719fee09d2f |
|
| Details | md5 | 7 | 3f4a16b29f2f0532b7ce3e7656799125 |
|
| Details | md5 | 2 | f1a33b2be4c6215a1c39b45e391a3e85 |
|
| Details | sha256 | 18 | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da |
|
| Details | sha256 | 7 | 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 |
|
| Details | sha256 | 23 | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 |
|
| Details | sha256 | 11 | 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf |
|
| Details | sha256 | 11 | 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 |
|
| Details | sha256 | 6 | 8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b |
|
| Details | sha256 | 7 | 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 |
|
| Details | sha256 | 6 | 23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4 |
|
| Details | sha256 | 6 | 2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d |
|
| Details | sha256 | 9 | b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 |
|
| Details | sha256 | 9 | b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd |
|
| Details | sha256 | 9 | e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 |
|
| Details | sha256 | 9 | fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d |
|
| Details | Url | 43 | http://www.cisa.gov/tlp. |
|
| Details | Url | 53 | https://us-cert.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Windows Registry Key | 2 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled |
|
| Details | Yara rule | 2 | rule CISA_10375867_01 : wiper HERMETICWIPER {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10375867"
Date = "2022-04-05"
Last_Modified = "20220406_1500"
Actor = "n/a"
Category = "Wiper"
Family = "n/a"
Description = "Detects Hermetic Wiper samples"
MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
strings:
$rsrc1 = { 53 5A 44 44 }
$rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
$rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
$rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
$rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
$rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
$s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
$s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
$s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
$s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
$s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
$s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
$s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
$s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
condition:
uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
} |