{ "id": "237ab725-9409-4c8e-8b51-d8f1e9e90cac", "created_at": "2026-04-06T00:10:13.373717Z", "updated_at": "2026-04-10T03:30:33.01987Z", "deleted_at": null, "sha1_hash": "850dc91e8b02e15cf09cc41ec84332f1b357bbcb", "title": "Technical Analysis of The Hermetic Wiper Malware Used to Target Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1184450, "plain_text": "Technical Analysis of The Hermetic Wiper Malware Used to Target\r\nUkraine\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 14:05:21 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic.\r\nBy clicking \"Accept All\", you consent to our use of cookies.\r\nBack\r\nTechnical Analysis of The Hermetic Wiper Malware Used to Target Ukraine\r\nMarch 2, 2022\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 1 of 14\n\nExecutive Summary\r\nOn 23 February 2022, ESET researchers identified a destructive malware, dubbed “Hermetic Wiper,“\r\ntargeting Ukrainian computers and websites. \r\nThe Hermetic Wiper malware binary uses a signed digital certificate issued to “Hermetica Digital Ltd’ and\r\nthe driver dropped by the malware has a signed digital certificate issued to “Chengdu Yiwo Tech\r\nDevelopment Co Ltd” to circumvent security checks. \r\nThe malware drops a driver, in the Windows Drivers directory, which is part of the Easeus program with\r\nthe original filename EPMNTDRV.sys. \r\nIt abuses the driver loaded to the target system, to access its hard disk with higher privileges and to write\r\ngarbage data into it. \r\nThe malware then renders the system useless by corrupting booting data, which forces the user to reinstall\r\ntheir Operating System. \r\nTechnical Analysis of Hermetic Wiper Malware\r\nLeveraging Code-Signing Certificates to Avoid Detection\r\nThe malware binary’s signed digital certificate is issued to Hermetica Digital Ltd., a Cyprus based Gaming\r\ndevelopment company.\r\nThe malware drops a driver in the Windows Drivers directory. The dropped binary’s signed digital\r\ncertificate belongs to Chengdu Yiwo Tech Development Co Ltd.,  the owner of Easeus Data, which is a\r\nData Backup and Recovery Company.\r\nSigned digital certificates of the binaries\r\nSigned digital certificates of the binaries\r\nObtaining a Handle to the Current Process Token\r\nThe malware begins by obtaining a handle to the current process’ token. \r\nIn Windows, a token is an object that represents the privilege a process holds while running on the system.\r\nA full list of privilege constants can be found here. \r\nThe malware uses OpenProcessToken API with the DesiredAccess parameter set to 0x0028\r\n(TOKEN_QUERY 0x0008 | TOKEN_ADJUST_PRIVILEGES 0x0020). \r\nThis allows the malware to change privileges assigned to the token. \r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 2 of 14\n\nUsing OpenProcessToken API to change token privileges\r\nChanging Token Privileges\r\nAfter obtaining access to the current process’ token, with privileges set, the malware uses\r\nLookUpPrivilegeValueW to make sure the current process is assigned following privileges:\r\nSeShutdownPrivilege\r\nSeBackupPrivilege\r\nThe AdjustTokenPrivileges API is used to adjust the current token privileges if the above listed privileges\r\nare not already assigned to the current process. \r\nProcess of changing token privileges of the current process\r\nLoading the Payload into the System Memory\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 3 of 14\n\nAfter granting privileges, the malware dynamically resolves the addresses of following modules and load\r\nthem into the current process:\r\nWow64DisableWow64FsRedirection\r\nWow64RevertWow64FsRedirection\r\nIsWow64Process\r\nThe Wow64DisableWow64FsRedirection and Wow64RevertWow64FsRedirection modules are responsible\r\nfor file system redirection on 64 bit versions of Windows. This comes into play when a 32 bit application\r\nruns on 64 bit Windows, where the %windir%\\System32 directory is only reserved for 64 bit applications.\r\nHowever, since the malware sample is a 32 bit application there is a need for the malware to access the\r\nSystem32 directory. This is possible via Wow64DisableWow64FsRedirection. It also helps in accessing the\r\nregistry without Wow64 redirection.\r\nThe IsWow64Process is used to determine whether the specified process is running under WOW64, or\r\nunder an Intel64 of x64 processor. This is mainly used to select the appropriate payload to be dropped.\r\nThe malware loads the modules into the current process\r\nThe malware has multiple images of the payload. The malware holds following driver images for later\r\nloading:\r\nDRV_X64\r\nDRV_X86\r\nDRV_XP_X64 for older generations of Windows \r\nDRV_XP_X86 for older generations of Windows \r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 4 of 14\n\nMultiple images of the payload in the malware\r\nMultiple images of the payload in the malware\r\nThe version of the system is enumerated using VerifyVersionInfoW API. \r\nSystem version enumeration using VerifyVersionInfoW\r\nThe malware selects the payload to be dropped based on the bitness (32/64) in the resource section of the\r\nPortable Executable (PE). After which, the corresponding image is retrieved from the .rsrc section of the\r\nmalware and loaded into the system memory. \r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 5 of 14\n\nLoading the corresponding payload into the system memory\r\nDumping a Driver on the Target System\r\nThe malware disables CrashDumpEnabled, which dumps the system memory in the event of a crash.\r\nCrashDumpEnabled is enabled by default on Windows 10, and has a default value of 0x7. The malware\r\nchanges it to 0x0, thus disabling it. \r\nThis is done to evade forensic analysis if something were to go wrong when the driver is loaded on the\r\ntarget system.\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 6 of 14\n\nAfter disabling the crash dump setting in the registry, the malware prepares to copy an image of the driver,\r\nkept in the .rsrc section of the PE, to the target system. \r\nA pipe \\\\\\\\.\\\\EPMNTDRV\\\\ is created to perform the transfer of the data. \r\nCreating a pipe to transfer data\r\nThe system directory for drivers C:\\Windows\\system32\\drivers is then retrieved via the GetSystemDirectory\r\nAPI.\r\nRetrieving the system directory for drivers\r\nThe data is written via the LZOpenFilew and LZCopy APIs. The filename is randomly generated at\r\nruntime, and the name assigned to the file is ttdr.sys.\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 7 of 14\n\nWriting the data and generating the ttdr.sys file \r\nNow the malware has successfully dumped a driver on the target system.\r\nttdr.sys dumped on the target system\r\nDriver Loading and Service Creation\r\nTo load a driver on Windows, the process should possess SeLoadDriverPrivilege. The malware checks for\r\nsuch a privilege in the current process using the LookupPrivilegeValueW API.\r\nIf the process does not have the required privilege, the malware adds it via the AdjustTokenPrivileges API.\r\nMalware looks for SeLoadDriverPrivilege\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 8 of 14\n\nAfter adjusting the privileges, the malware opens Service Control Manager on Windows to query active\r\nservices through the ServicesActive database. \r\nIt checks for any active services with the name of the dumped driver, which in this case is ttdr, via the\r\nOpenServiceW API. \r\nChecking for any active services with the name ttdr\r\nIf the service does not exist, OpenServiceW API returns ERROROSERVICE_DOES_NOTEXIST, and then\r\nnew service is created via CreateServiceW as shown below\r\nNew service is created via CreateServiceW\r\nThe StartServiceW API is then used to run the driver on the target system.\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 9 of 14\n\nUsing StartServiceW API to run the driver on the target system\r\nThis can be verified by querying the service control to check if the STATE parameter is set to\r\n“RUNNING.” After this the malware starts interacting with the driver via the IOControlDevice API, which\r\nmakes the malware a userland component of the deployed driver .\r\nQuerying the service control\r\nThe symbolic link created for IO communications is verification that the driver has been successfully\r\nloaded on the system.\r\nSymbolic link created for IO communications\r\nIf the service is present, then malware gets the service status from Service Control Manager using the\r\nQueryServiceStatus API. \r\nThe service configurations are changed, if the service is inactive, via ChangeServiceConfig API. And the\r\nflag SERVICE_DEMAND_START (0x00000003) is passed as dwStartType value for the\r\nChangeServiceConfig API.\r\nQuerying and changing the service configurations\r\nClean Up Process\r\nAs soon as the driver starts running on the target system, it starts the clean up process by deleting the\r\nservice entry in the registry, and the driver image in the C:\\Windows\\system32\\drivers directory. \r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 10 of 14\n\nDeleting service entry from the registry and driver image\r\nAfter the clean up process, the malware disables Volume Shadow Copy Service (VSS) on the system, via\r\nService Control Manager. The VSS service is opened via the OpenServiceW API to change the\r\nconfiguration of the service later. \r\nDisabling the Volume Shadow Copy Service\r\nA new configuration update is made by passing the 0x00000004 flag (SERVICE_DISABLED) to\r\nChangeServiceConfigW, thus disabling VSS by force.\r\nDisabling VSS\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 11 of 14\n\nThe malware makes sure the service has stopped, by passing 0x00000001 (SERVICE_CONTROL_STOP) as the\r\ndwControl parameter value.\r\nMaking sure the service has stopped\r\nCorrupting the Hard Disk Data\r\nThe malware uses the installed driver to read/write hard disk data. \r\nTo achieve this, the symbolic link used by the driver (\\Device\\EPMNTDRV), communicates via the\r\nDeviceIOControl API, by passing IOCTL codes to make the driver perform a specific task. \r\nThe malware then accesses the Master Boot Record via \\\\\\\\.\\\\PhysicalDrive0.\r\nIOCTL codes:\r\n560000 70050\r\n90073 90064\r\n2D1080 90068\r\n700A0\r\nAccessing \\\\\\\\.\\\\PhysicalDrive0\r\nThe data corruption logic distinguishes NTFS and FAT systems and has different corruption logic for each\r\nof the file systems present on the disk.\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 12 of 14\n\nNTFS corruption logic\r\nFat corruption logic\r\nThe malware parses Master File Record fields such as $bitmap and $logfile and other NTFS attribute\r\nstreams such as $DATA, $I30, or $INDEX_ALLOCATION.\r\nMultiple threads are instantiated by the malware to perform various activities. However, the execution of\r\none of the threads performs InitiateSystemShutdownEx, which is a privileged activity, as the final damage. \r\nPerforming InitiateSystemShutdownEx as the final damage\r\nBefore shutting down the system, the malware enumerates the following directories for data wiping:\r\nMy Documents\r\nDesktop\r\nAppData\r\nWindows Event Logs (C:\\Windows\\System32\\winevt\\Logs)\r\nIndicators of Compromise\r\nMalware Binary: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 13 of 14\n\nDropped Driver: 6106653B08F4F72EEAA7F099E7C408A4 \r\n3F4A16B29F2F0532B7CE3E7656799125\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nRelated Blogs\r\nPredict  Cyber Threats against your organization\r\nSource: https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nhttps://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/" ], "report_names": [ "technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434213, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/850dc91e8b02e15cf09cc41ec84332f1b357bbcb.pdf", "text": "https://archive.orkl.eu/850dc91e8b02e15cf09cc41ec84332f1b357bbcb.txt", "img": "https://archive.orkl.eu/850dc91e8b02e15cf09cc41ec84332f1b357bbcb.jpg" } }