1. Home
  2. Software
  3. HermeticWizard

HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[1]

ID: S0698
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 25 March 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

HermeticWizard can use WMI to create a new process on a remote machine via C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

HermeticWizard can use cmd.exe for execution on compromised hosts.[1]
Enterprise T1110 .001 暴力破解: Password Guessing

HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.[1]
Enterprise T1106 本机API

HermeticWizard can connect to remote shares using WNetAddConnection2W.[1]
Enterprise T1570 横向工具传输

HermeticWizard can copy files to other machines on a compromised network.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

HermeticWizard has the ability to use wevtutil cl system to clear event logs.[1]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

HermeticWizard has used regsvr32.exe /s /i to execute malicious payloads.[1]
.011 系统二进制代理执行: Rundll32

HermeticWizard has the ability to create a new process using rundll32.[1]
Enterprise T1569 .002 系统服务: Service Execution

HermeticWizard can use OpenRemoteServiceManager to create a service.[1]
Enterprise T1046 网络服务发现

HermeticWizard has the ability to scan ports on a compromised network.[1]
Enterprise T1559 .001 进程间通信: Component Object Model

HermeticWizard can execute files on remote machines using DCOM.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.[1]
Enterprise T1018 远程系统发现

HermeticWizard can find machines on the local network by gathering known local IP addresses through DNSGetCacheDataTable, GetIpNetTable,WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY),NetServerEnum,GetTcpTable, and GetAdaptersAddresses.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.[1]

References

  1. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.