{
	"id": "750ca6f7-967a-404a-8c5e-2c2aaabd1646",
	"created_at": "2026-04-06T00:22:04.57308Z",
	"updated_at": "2026-04-10T13:11:49.293349Z",
	"deleted_at": null,
	"sha1_hash": "84663d57ccd8e92933d621622dc10236e67a7554",
	"title": "eSentire Threat Intelligence Malware Analysis: HermeticWiper \u0026 PartyTicket",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 917134,
	"plain_text": "eSentire Threat Intelligence Malware Analysis: HermeticWiper \u0026\r\nPartyTicket\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 15:49:39 UTC\r\nRecently, there have been multiple reports of new wiper malware observed targeting Ukrainian organizations as part of\r\ncyber warfare stemming from the ongoing Russia-Ukraine conflict. This new wiper malware, also known as HermeticWiper,\r\nwas first detected in February 2022, and was deployed after a wave of multiple Distributed Denial of Service (DDoS)\r\nattacks launched by Russian threat actors against Ukrainian law enforcement and government agencies.\r\neSentire’s Threat Intelligence team has performed a technical malware analysis on HermeticWiper and PartyTicket. This\r\ntechnical analysis provides a detailed breakdown of how HermeticWiper fulfills its objective of accessing the Physical\r\nDrives and encrypting the targeted filetypes in the host device and network.\r\nWith the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new\r\nmalware in the ongoing hybrid war and improve their malware development capabilities to evade detections.\r\nKey Takeaways:\r\nHermeticWiper malware is more sophisticated than WhisperGate in terms of implementing third-party drivers to\r\nfacilitate access to the Physical Drives as well as modifying its access token to enable interaction with the kernel.\r\nHermeticWiper is abusing legitimate EaseUS partition management drivers to retrieve partition information and\r\ndestroy data. This shows development maturity compared to WhisperGate.\r\nThe main purpose of the decoy ransomware (PartyTicket, also known as HermeticRansom) is to limit the victim’s\r\ninteractions with the infected system.\r\nDue to the poor implementation of the encryption algorithm or the coding error, PartyTicket cannot be considered as\r\na sophisticated decoy ransomware, but it certainly made more improvements compared to WhisperGate.\r\nThe threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting shadow copies. It’s\r\nprobable that this was done to clear logs to avoid detection and attribution.\r\nAs a result of this research, we have created an additional 5 detections to reduce the risk of this threat and are\r\nperforming global threat hunts for indicators associated with HermeticWiper \u0026 Party Ticket malware.\r\nCase Study\r\nThe destructive malware dubbed as ‘HermeticWiper’ by SentinelLabs was first detected by researchers at ESET on February\r\n23rd, 2022, at 10am EST. Five hours later, the Cyber Police of Ukraine reported DDoS attacks on several Ukrainian\r\ngovernment agencies, including Cabinet of Ministers of Ukraine, Verkhovna Rada (unicameral parliament of Ukraine),\r\nSecurity Service of Ukraine, Ministry of Foreign Affairs, and other Ukrainian government organizations.\r\nThe reports stated that the DDoS attacks had been ongoing since February 15th and linked the attacks, including numerous\r\nphishing attempts, to Russian threat actors. As part of these attacks, HermeticWiper was installed on hundreds of machines\r\nin Ukraine, but evidence of HermeticWiper was also found in Lithuania and Latvia.\r\nOn February 27th Ukrainian border control was reported to be infected with HermeticWiper, which prevented refugees from\r\nbeing able to cross into Romania. Symantec also reported that the ransomware named PartyTicket was dropped on the\r\ncompromised machines.\r\nInitial Compromise\r\nOn February 24-25th researchers at Symantec reported three potential initial vectors of compromise:\r\n1. Ukraine, December 23, 2021 – The abuse of SMB on Microsoft Exchange Servers followed by credential stealing\r\nand web shell.\r\n2. Lithuania, November 12, 2021 – Tomcat exploitation followed by the creation of scheduled tasks to gain persistence\r\non the compromised system.\r\n3. Ukraine, November 11, 2021 – An exploit abusing Microsoft SQL Elevation of Privilege Vulnerability (CVE-2021-\r\n1636).\r\nTechnical Analysis on HermeticWiper\r\nSHA-256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 1 of 10\n\nHermeticWiper is a 32-bit executable written in C++ and at 114 KB, it’s over four times bigger than its predecessor,\r\nWhisperGate (27 KB). WhisperGate was also used as a decoy ransomware and destructive malware in January 2022 to\r\ntarget Ukrainian organizations. The compiler timestamp dates to December 28, 2021. However, it should be noted that the\r\ntimestamp can be easily modified by the threat actors. The malware sample was signed by Hermetica Digital Ltd, a Cyprus-based company, and is valid from April 12, 2021 until April 14, 2022 (Exhibit 1). Based on this discovery, eSentire’s Threat\r\nIntelligence team has determined it’s probable that the malware was developed in April 2021.\r\nExhibit 1: HermeticWiper digital signature\r\nThe RCDATA resource (the raw data resource of an application) contains 4 drivers: DRV_X64, DRV_X86, DRV_XP_X64,\r\nDRV_XP_X86. The drivers are compressed with SZDD (Haruhiko Okumura's LZSS), a compression algorithm known to\r\nbe used by Microsoft installation programs (Exhibit 2).\r\nExhibit 2: HermeticWiper Resources\r\nThe decompressed drivers are signed by Chengdu YIWO Tech Development Co Ltd, the developer of EaseUS (Exhibit 3).\r\nExhibit 3: Digital Certificate of the extracted drivers\r\nThe implementation of EaseUS partition management driver in the wiper to access the file systems shows an improvement\r\ncompared to WhisperGate. The drivers contain the program database (PDB) path, which contains debugging information, to:\r\nd:\\epm\\_epm_main\\mod.windiskaccessdriver\\windiskaccessdriver\\objfre_wlh_x86\\i386\\epmntdrv.pdb\r\nThis indicates that the attackers abused the legitimate driver epmntdrv.sys developed by EaseUS to facilitate access to the\r\nphysical drives of the victim’s machine.\r\nThe wiper will choose which driver to plant on the victim’s machine based on the Windows version, which uses major and\r\nminor conventions for its Operating Systems (OS). If the major and minor versions of the OS is greater or equal to 6 and 0\r\nrespectively, it will assign the DRV_X64, DRV_X86 drivers to it. Otherwise, it will assign DRV_XP_X64, DRV_XP_X86\r\ndrivers (Exhibit 4).\r\nPlease refer to the chart compiled by Microsoft that contains operating system version information for more information.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 2 of 10\n\nExhibit 4: Assigning drivers to the appropriate OS\r\nThe wiper then assigns itself the following privileges:\r\nSeLoadDriverPrivilege – enables the user to unload and load device drivers in kernel mode. In our case, this will\r\nallow the threat actor to load the EaseUS drivers used to corrupt and destroy data.\r\nSeBackupPrivilege – provides an attacker with the ability to create system backups and full read permissions\r\nwithout further escalating the privileges.\r\nA service named after the dropped system driver will be created by the wiper via the CreateServiceW API, which will point\r\nto C:\\Windows\\System32\\drivers\\rhdr.sys (Note that the driver’s name will be randomly created with 4 characters). After the\r\nservice has successfully started, it will sleep for 1000 milliseconds (about 1 second) and then be marked for deletion, at\r\nwhich point the user cannot manually delete or stop it.\r\nEPMNTDRV will be pointed to the path of the dropped system driver (Exhibit 5), and will also be used to retrieve the\r\nPhysical Drive number via DeviceIoControl API (used to get information about the drive).\r\nExhibit 5: EPMTDRV pointing to the dropped driver\r\nHermeticWiper initiates a loop that enumerates the Physical Drives to 100, in contrast to WhisperGate’s loop which is\r\nrepeated up to 199 times (Exhibit 6). For every enumerated Physical Drive, the wiper will overwrite the first section of the\r\nmaster boot record (MBR) with 512 bytes, making the machine unbootable upon manual restart.\r\nExhibit 6: Drive Enumeration\r\nIn addition to the drive enumeration, the wiper also looks for the following folders:\r\nDesktop\r\nMy Documents\r\nAppData\r\nC:\\Documents and Settings\r\nC:\\Windows\\System32\\winevt\\Logs\r\nWindows\r\nProgram Files\r\nProgram Files(x86)\r\nPerfLogs\r\nBoot\r\nSystem Volume Information\r\nAppData\r\nBoot and System Volume Information are two important folders that are responsible for Windows operability. Boot folder\r\nstores the Boot Configuration Data (BCD) which contains information about the OS and boot parameters. Without the BCD\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 3 of 10\n\nfile, Windows will not be able to boot. The System Volume Information folder is utilized by the System Restore tool to store\r\nthe restore points.\r\nThe purpose of enumerating the above folders is unclear. It is notable that the threat actors crafted the malware to make sure\r\nall the folders and logs are wiped, and that the victim’s machine remains inoperable if the MBR wiping goes wrong. We\r\nbelieve it’s probable that this was done to clear logs to avoid detection and attribution.\r\nNext, the crash dump logging is disabled by setting the registry value CrashDumpEnabled to 0 (Exhibit 7).\r\nExhibit 7: Disabling crash dump by setting the registry key to 0\r\nThe Volume Shadow Copy Service (VSS) is also disabled via ChangeServiceConfigW API (the API allows to change the\r\nservice configurations) through the SERVICE_DISABLED parameter (Exhibit 8).\r\nExhibit 8: Disabling Volume Shadow Copy Service (VSS)\r\nThe sample also queries for NTFS attribute types and metadata:\r\n$DATA\r\n$I30\r\n$INDEX_ALLOCATION\r\n$Bitmap (Keeps track of cluster allocation on NTFS volume)\r\n$Logfile (Logs all changes to the file system)\r\nOther attributes such as $REPARSE_POINT and $LOGGED_UTILITY_STREAM were also found in the .rdata section but\r\nwere never referenced by anything. The partition corruption is dependent on whether the system has NTFS or FAT partitions\r\n(Exhibit 9).\r\nExhibit 9: Different partition corruption capabilities based on NTFS and FAT\r\nTechnical Analysis of PartyTicket\r\nSHA-256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 4 of 10\n\nThe ransomware sample is a 64-bit binary written in Golang with a size of 3.14 MB and an empty compilation timestamp.\r\nThe following sections in the sample are responsible for determining the filetypes to encrypt, which directories to skip, drive\r\nletters to enumerate (Exhibit 10).\r\nExhibit 10: Sections mentioning “Biden”\r\nAs mentioned previously, the function at _C__projects_403forBiden_wHiteHousE_baggageGatherings is enumerating\r\nthrough the drive letters from A to Z (Exhibit 11).\r\nExhibit 11: Drive letter enumeration\r\nThe function at __C__projects_403forBiden_wHiteHousE_init checks if the OS supports AVX (Advanced Vector\r\nExtensions that are supposed by Windows 7 SP1 and later) and is also responsible for folder and file manipulations as well\r\nas getting the time zone data.\r\nThe function at _C__projects_403forBiden_wHiteHousE_FileName gets up 55 file extensions and converts them to lower\r\nstrings (Exhibit 12).\r\nExhibit 12: Retrieving file extensions\r\nApproximately 54 file extensions get retrieved from memory for further encryption, not including the encrypted file\r\nextension, “.Encryptedjb” (Exhibit 13).\r\nExhibit 13: Populating the extensions from memory\r\n.docx .doc .odt .pdf .xls .xlsx .rtf\r\n.ppt .pptx .one .xps .pub .vsd .txt\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 5 of 10\n\n.jpg .jpeg .bmp .ico .png .gif .sql\r\n.xml .pgsql .zip .rar .exe .msi .vdif\r\n.ova .avi .dip .epub .iso .sfx .inc\r\n.contact .url .mp3 .wmv .wma .wtv .avi\r\n.acl .cfg .chm .crt .css .dat .dll\r\n.cab .htm .html\r\nDuring the encryption process, the sample writes a ransomware note called “read_me.html” to the victim’s Desktop\r\ncontaining the contact information (Exhibit 14-15).\r\nExhibit 14: Creating read_me.html ransomware note\r\nExhibit 15: Ransomware note (read_me.html)\r\nThe ransomware implements AES-GCM encryption for the files (Exhibit 16). An RSA public key is also used to encrypt the\r\nAES key, which is base64-encoded and embedded in the encrypted file. Here is the decoded RSA-OAEP public key with\r\nexponent 65537:\r\n{“N”:25717750538564445875883770450315010157700597087507334907403500443913073702720939931824608270980020206566017538751505629\r\nExhibit 16: AES-GCM encryption\r\nThe AES key is created with math/rand, which produces a pseudorandom (inevitably, deterministic) sequence of values.\r\nThat means that the key can be easily obtained to decrypt the files. During the analysis, we observed the same AES 16-bit\r\nkey being used to encrypt the file, “6FBBD7P95OE8UT5QRTTEBIWAR88S74DO”, because the same seed value is being\r\nused in the code (Exhibit 17).\r\nAll encrypted file names will have the following extension: “.[vote2024forjb@protonmail.com].encryptedJB” and each\r\nencrypted file will contain the marker “ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A” at the end.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 6 of 10\n\nExhibit 17: AES key creation using math/rand\r\nDuring the encryption process, the main executable creates duplicates of itself in the working directory. Each duplicate is\r\nnamed with a GUID in the format “xxxxxxxx-11ec-xxx-000c29xxxxxx.exe” (Exhibit 18) and will copy itself using the same\r\npattern with a command “cmd /c copy C:\\workdir\\xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe (Exhibit 19).\r\nThe duplicated binaries are responsible for encrypting each file on the system, which significantly slows down the infected\r\nsystem. After the encryption, the binaries are removed from the directory, leaving only 200-300 copies. The encryption\r\nprocess can be easily stopped by terminating the process tree.\r\nExhibit 18: Duplicated binaries in the working directory\r\nExhibit 19: Duplication process\r\nComparing HermeticWiper, and PartyTicket to WhisperGate\r\nFrom the technical analysis, we have derived that HermeticWiper is more sophisticated than WhisperGate in terms of\r\nimplementing third-party drivers to facilitate access to the Physical Drives and modify its access token to enable interaction\r\nwith the kernel. Moreover, the threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting\r\nshadow copies. Although the purpose of enumerating the critical parts of the OS is still not clear, we believe it’s probable\r\nthat this was done to clear logs to avoid detection and attribution.\r\nAs mentioned previously, PartyTicket has been observed on machines infected with HermeticWiper. The technical analysis\r\nof PartyTicket indicates that the threat actor(s) implemented AES-GCM encryption along with RSA public key for the\r\ntargeted file extensions, making the attack look almost like an actual ransomware attempt, whereas WhisperGate decoy\r\nransomware only overwrote the targeted files with 0xCC bytes and corrupted MBR by overwriting it with a fake ransom\r\nnote.\r\nPartyTicket, the decoy ransomware, contains political messages based on the strings found mentioning “Biden” and a\r\nransom note saying, “The only thing that we learned from new elections is we learned nothing from the old!”\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 7 of 10\n\nHermeticWiper samples have different hashes but the same functionality. WhisperGate has only one known reported hash\r\nfor the wiper sample, which likely means that HermeticWiper was able to spread across more machines than WhisperGate.\r\nWith the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new\r\nmalware and that threat actors will likely improve their malware development capabilities to evade detection.\r\nHow eSentire is Responding\r\nOur Threat Response Unit (TRU) combines intelligence gleaned from research, security incidents, and the external threat\r\nlandscape to create actionable outcomes for our customers. We are taking a holistic response approach to combat modern\r\nransomware by deploying countermeasures, such as:\r\nDeveloping threat detections to identify the initial and post-compromise activities of HermeticWiper and PartyTicket\r\n(HermeticRansom) and ensure these detections are in place across both eSentire MDR for Endpoint and MDR for\r\nLog.\r\nPerforming global threat hunts for indicators associated with HermeticWiper and Party Ticket malware.\r\nOur detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion\r\nattempt tied to known ransomware tactics, techniques, and procedures. In addition, our Threat Response Unit closely\r\nmonitors the ransomware threat landscape and addresses capability gaps and conducts retroactive threat hunts to assess\r\ncustomer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against the HermeticWiper, and\r\nPartyTicket malware:\r\nEnsure that Microsoft Exchange and Apache Tomcat servers are patched and up to date. Specifically ensuring your\r\norganization has patched:\r\nCVE-2020-0688 – Microsoft Exchange\r\nCVE-2021-26855 – Microsoft Exchange\r\nCVE-2021-26857 – Microsoft Exchange\r\nCVE-2021-26858 – Microsoft Exchange\r\nCVE-2021-27065 – Microsoft Exchange\r\nPatch any external-facing applications and devices on an ongoing basis. Conduct regular vulnerability scans to ensure\r\nyour team is staying on top of identifying, and patching, all known vulnerabilities.\r\nConsider implementing a comprehensive vulnerability management program that includes continuous awareness of\r\nthe threat landscape, vulnerability scanning to understand which systems are inadvertently exposed, and disciplined\r\npatch management.\r\nEnsure your team is enforcing strong password policies for all employees as part of strengthening your organization’s\r\noverall cyber hygiene.\r\nWhile the Tactics, Techniques, and Procedures (TTPs) used by adversaries grow in sophistication, they lead to a limited set\r\nof choke points at which critical business decisions must be made. Intercepting the various attack paths utilized by the\r\nmodern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the\r\nability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by\r\noriginal threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid\r\nresponse to advanced threats.\r\nIf you’re not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your\r\nbusiness ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire\r\nSecurity Specialist.\r\nAppendix\r\nIndicators of Compromise\r\nName File Hash (SHA-256)\r\nHermeticWiper 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\nHermeticWiper 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\nHermeticWiper 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 8 of 10\n\nHermeticWiper 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397\r\nHermeticWiper 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\r\nPartyTicket 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\r\nRCDATA_DRV_X64 e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5\r\nRCDATA_DRV_X86 b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1\r\nRCDATA_DRV_XP_X64 b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd\r\nRCDATA_DRV_XP_X86 fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d\r\nYara Rules\r\nrule HermeticWiper {\r\n meta:\r\n author = \"eSentire TI\"\r\n filetype = \"Win32 EXE\"\r\n date = \"03/02/2022\"\r\n version = \"1.0\"\r\n hash = \"0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\"\r\n \r\n strings:\r\n $drv1 = \"\\\\\\\\.\\\\PhysicalDrive%u\" wide fullword\r\n $drv2 = \"\\\\\\\\.\\\\EPMNTDRV\\\\%u\" wide fullword\r\n $NTFS1 = \"$Bitmap\" wide fullword nocase\r\n $NTFS2 = \"$Logfile\" wide fullword nocase\r\n $NTFS3 = \"$I30\" wide fullword nocase\r\n $rcdata1 = \"DRV_X64\" wide fullword nocase\r\n $rcdata2 = \"DRV_X86\" wide fullword nocase\r\n $rcdata3 = \"DRV_XP_X86\" wide fullword nocase\r\n $rcdata4 = \"DRV_XP_X64\" wide fullword nocase\r\n $storage1 = \"GetLogicalDriveStrings\" ascii nocase\r\n $storage2 = \"GetDiskFreeSpace\" ascii nocase\r\n \r\n condition:\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n and filesize \u003e 113KB\r\n and (2 of ($drv*) and 3 of ($NTFS*) and 2 of ($rcdata*) and 2 of ($storage*))\r\n \r\n}\r\nrule PartyTicket {\r\n meta:\r\n author = \"eSentire TI\"\r\n filetype = \"Win64 EXE\"\r\n date = \"03/02/2022\"\r\n version = \"1.0\"\r\n hash = \"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\"\r\n \r\n strings:\r\n $project = \"C:/projects/403forBiden/wHiteHousE/wHiteHousE.go\" ascii nocase\r\n $string1 = \"vote_result.cap\" ascii nocase\r\n $string2 = \"main.subscribeNewPartyMember\" ascii nocase\r\n $string3 = \"main.voteFor403\" ascii nocase\r\n $string4 = \"main.highWay60\" ascii nocase\r\n $string5 = \"main.BulletinNumber\" ascii nocase\r\n \r\n condition:\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n and filesize \u003e 3100KB\r\n and $project and 3 of ($string*)\r\n \r\n}\r\nSources\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 9 of 10\n\nhttps://venturebeat.com/2022/02/27/ukraine-border-control-hit-with-wiper-cyberattack-slowing-refugee-crossing/\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636\r\nhttps://docs.microsoft.com/\r\nhttps://pkg.go.dev/math/rand\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level\r\nMDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security\r\nOperations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an\r\nextension of your security team to continuously improve our Managed Detection and Response service. By providing\r\ncomplete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat\r\nhunts augmented by original threat research, we are laser-focused on defending your organization against known and\r\nunknown threats.\r\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket"
	],
	"report_names": [
		"esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket"
	],
	"threat_actors": [],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84663d57ccd8e92933d621622dc10236e67a7554.pdf",
		"text": "https://archive.orkl.eu/84663d57ccd8e92933d621622dc10236e67a7554.txt",
		"img": "https://archive.orkl.eu/84663d57ccd8e92933d621622dc10236e67a7554.jpg"
	}
}