{
	"id": "24727ebc-932d-4dca-bb9c-e2526cc22076",
	"created_at": "2026-04-06T01:28:58.079619Z",
	"updated_at": "2026-04-10T03:21:06.012884Z",
	"deleted_at": null,
	"sha1_hash": "739cb38bb5c292960447179a3f43abe3ae2bf197",
	"title": "Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1758008,
	"plain_text": "Ukrainian Targets Hit by HermeticWiper, New Datawiper\r\nMalware\r\nBy Mayuresh Dani\r\nPublished: 2022-03-02 · Archived: 2026-04-06 00:25:13 UTC\r\nThe Ukrainian Government has been targeted by HermeticWiper, a new ransomware-like data wiper. Its aim is not\r\nsimply to encrypt the victim’s data, but rather to render a system essentially unusable. In this blog, our Research\r\nTeam details our analysis of how this aggressive new malware works.\r\nThe origin of HermeticWiper seems to be closely connected to the start of the Russia/Ukraine conflict.\r\nHermeticWiper is a new ransomware-like data wiper that was deployed beginning February 23, 2022. Based on\r\nmultiple intelligence reports, the wiper-ware is preceded by exploits that aid in malware deployment or multiple\r\ndistributed denial-of-service attacks to shut down protective services. Attacks have been observed against\r\nhundreds of Ukrainian websites related to the local government. Discovered mere hours before Russian troops\r\nrolled into Ukraine, the cyberattack is widely seen as the opening salvo of Moscow’s invasion. As of this writing,\r\nHermeticWiper activity has since been found in Latvia and Lithuania.\r\nThe primary objective of the HermeticWiper is to destroy the master boot record (MBR) of a system, shredding\r\ndata and rendering the system unusable.\r\nPortable Executable Details of HermeticWiper\r\nThe file that we analyzed has a timestamp of “2021-12-28”. This wiper-ware got its name because the attackers\r\nused a code-signing certificate issued to “Hermetica Digital Ltd.” This traces back to a small videogame design\r\nbusiness based in Cyprus with no links to Russia that claims it never applied for a digital certificate, pointing to\r\npossible identity theft. Operating systems use code-signing as an initial check on software, so it may have been\r\ndesigned to help the rogue program dodge anti-virus protections.\r\nThe sample we analyzed presented the following details:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 1 of 9\n\nAnother quirk that we noticed from most of the HermeticWiper samples was the use of the “gift” icon.\r\nWhether this was a sick joke on the part of the attackers, or merely use of a commonly observed Visual Studio\r\nicon – we will never know.\r\nTechnical Details of HermeticWiper\r\nHermeticWiper itself is just 115kbs and comes packed with drivers, which are extracted depending on the\r\noperating system. These drivers are compressed in “SZDD” format as can be seen here:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 2 of 9\n\nAs the names suggest, drivers are dropped after meeting the operating system criteria:\r\n1. DRV_X64: Windows 7+ 64-bits\r\n2. DRV_X86: Windows 7+ 32-bits\r\n3. DRV_XP_X64: Windows XP 64-bits\r\n4. DRV_XP_X32: Windows XP 32-bits\r\nInterestingly, the sample that we analyzed made use of an expired certificate from the “CHENGDU YIWO Tech\r\nDevelopment Co. Ltd.” A basic Google search reveals that this is a professional data recovery and data security\r\ncompany based in Sichuan, China. This certificate appears to be legitimate.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 3 of 9\n\nOther researchers have found similar drivers from EaseUS Partition Manager. A search for that company name\r\ncomes up with more details on the Chengdu YIWO Tech and EaseUS relationship:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 4 of 9\n\nThis driver does the heavy lifting of causing harm to your system. This is a known technique and has been used a\r\ncouple of times by well-known Advanced Persistent Threat groups.\r\nDETECTION TIP #1\r\nWatch out for processes executing drivers or dynamic link libraries with expired certificates.\r\nPost execution, HermeticWiper gains the following privileges:\r\n1. SeBackupPrivilege\r\n2. SeDebugPrivilege\r\n3. SeLoadDriverPrivilege\r\nLater in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four\r\ndrivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed\r\n– is stopped.\r\nDETECTION TIP #2\r\n1. Watch out for processes gaining unnecessary and sensitive privileges like the ones mentioned above.\r\n2. Watch out for important Windows service stoppages.\r\nHermeticWiper then changes the CrashDumpEnabled registry key value to 0, under the\r\nSystem\\CurrentControlSet\\Control\\CrashControl registry setting, so that memory dumps are disabled.\r\nDETECTION TIP #3\r\nWatch out for unauthorized processes making registry changes.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 5 of 9\n\nAfter this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of\r\ncompressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color. For\r\nexample:\r\nQualys Multi-Vector EDR customers are presented with the following details capturing the behavior.\r\nThen, hard drives on a system are enumerated and for each drive, the \\\\.\\EPMNTDRV\\ device is called. Then the\r\ndriver that was extracted is loaded by creating a new service using the CreateServiceW which rewrites the first\r\n512 bytes of the Master Boot Record (MBR).\r\nThe code further suggests that HermeticWiper enumerates the following files and folders…\r\nAppData\r\nDesktop\r\nProgramFiles\r\nProgramFiles(x86)\r\nPerflogs\r\nC:\\Documents and Settings\r\nC:\\Windows\\System32\\winevt\\logs\r\nSystem Volume Information\r\n…the following Master File Table metafiles…\r\n$LogFile: Journal to record metadata transactions.\r\n$Bitmap: Records allocation status of each cluster in the file system.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 6 of 9\n\n$Attribute_List:\r\n…and the following NTFS streams:\r\n$DATA – Contains file data.\r\n$I30 – NTFS index attribute\r\n$INDEX_ALLOCATION: Stream type of a directory.\r\nDETECTION TIP #4\r\nWatch out for processes enumerating multiple locations and data streams.\r\nPost successful execution, HermeticWiper makes use of the InitiateSystemShutdownEx API to shut down the\r\nsystem. Once rebooted, since the MBR has been rewritten, we see a blank screen with the words “Missing\r\noperating system.”\r\nHermeticWiper Detection with Qualys Multi-Vector EDR\r\nOut of the box, Qualys Multi-Vector EDR provides detection and prevention capabilities that can help enterprise\r\nsecurity teams to find Indicators of Compromise.\r\nHermeticWiper MITRE ATT\u0026CK TID Map\r\nTactic TID Technique Procedure\r\nPrivilege\r\nEscalation\r\nT1134 Access Token\r\nManipulation\r\nHermeticWiper modifies its security\r\ntoken to grants itself debugging\r\nprivileges by adding SeDebugPrivilege,\r\ncreating backups by adding\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 7 of 9\n\nTactic TID Technique Procedure\r\nSeBackupPrivilege and load drivers by\r\nadding SeLoadDriverPrivilege.\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nHermeticWiper enumerates the operating\r\nsystem and its bit-size according to\r\nwhich embedded drivers are dropped\r\nDefense\r\nEvasion\r\nT1112 Modify Registry HermeticWiper modifies multiple keys\r\nExecution T1106 Native API\r\nHermeticWiper uses the\r\nAdjustTokenPrivileges to give itself the\r\nfollowing privileges:\r\nSeShutdownPrivilege,\r\nSeBackupPrivilege and\r\nSeLoadDriverPrivilege.\r\nPersistence T1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nHermeticWiper loads the extracted\r\ndriver, by creating a new service using\r\nthe CreateServiceW API.\r\nImpact T1561.002\r\nDisk Wipe: Disk\r\nStructure Wipe\r\nHermeticWiper damages the Master Boot\r\nRecord (MBR) of the infected computer.\r\nImpact T1490\r\nInhibit System\r\nRecovery\r\nHermeticWiper stops the Volume\r\nShadow Copy service.\r\nImpact T1489 Service Stop\r\nHermeticWiper stops the Volume\r\nShadow Copy service.\r\nDiscovery T1083\r\nFile and Directory\r\nDiscovery\r\nHermeticWiper enumerates multiple files\r\nand folders such as AppData, Desktop,\r\netc.\r\nImpact T1529\r\nSystem\r\nShutdown/Reboot\r\nHermeticWiper initiates a system\r\nshutdown via the\r\nInitiateSystemShutdownEx API.\r\nHermeticWiper IOCs\r\nSHA256\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 8 of 9\n\nSHA256\r\n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43\r\n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\r\n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907\r\n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\r\n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\r\n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076\r\n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6\r\n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1\r\nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22\r\nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd\r\nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15\r\nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5\r\nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321\r\nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware"
	],
	"report_names": [
		"ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438938,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/739cb38bb5c292960447179a3f43abe3ae2bf197.pdf",
		"text": "https://archive.orkl.eu/739cb38bb5c292960447179a3f43abe3ae2bf197.txt",
		"img": "https://archive.orkl.eu/739cb38bb5c292960447179a3f43abe3ae2bf197.jpg"
	}
}