{
	"id": "52c485f2-a1d0-4639-9480-7f7bfb3dd813",
	"created_at": "2026-04-06T00:16:45.830569Z",
	"updated_at": "2026-04-10T03:21:36.832232Z",
	"deleted_at": null,
	"sha1_hash": "b35d71b7061368de087180f4e8187f7d8d963509",
	"title": "Threat Advisory: STRT-TA02 - Destructive Software | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7304275,
	"plain_text": "Threat Advisory: STRT-TA02 - Destructive Software | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-01-27 · Archived: 2026-04-05 19:25:29 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nIf recent Ransomware campaigns are an indication of the effects malicious campaigns against healthcare,\r\ntechnology, food supply, and gas supply can have in real life (Colonial pipeline outage affected 45% of U.S East\r\nCoast fuel supply), then destructive payloads whose sole use is to render hosts unusable should be considered a\r\npossibility under the current geopolitical indicators.\r\nThe Attack: The focus of this threat advisory is on a recently reported destructive payload by Microsoft MSTIC\r\nunder the name of WhisperGate. We break down the different components and functions of how this payload\r\nworks and provide a series of detections to mitigate and defend against this threat.\r\nAlthough we cannot prevent patient 0, we can, however, measure and recover execution artifacts which if used\r\ntimely and operationalized as analytics and playbooks can provide analysts a tool to isolate, contain and prevent\r\nfurther damage. Further on, this data may help understand the extent and the TTPs of current and future\r\ncampaigns where these payloads may be in use.\r\nRansomware is by itself a destructive payload, however, some past campaigns have shown the use of multiple\r\npayloads some of them with Ransomware characteristics used as decoys, and others with the same Ransomware\r\ncharacteristics, however, they execute destructive payloads at targeted organizations (i.e Hard disk erasure).\r\n“WhisperGate” Indicators And Analysis:\r\nStage 1: MBR Wiper\r\nThis wiper malware contains code that affects the Master Boot Record (MBR) sector of the compromised host.\r\nThis wiper will try to overwrite or replace the original MBR with the destructive MBR code. The screenshot\r\nbelow shows a code snippet to overwrite the MBR with the malicious master boot record code containing the\r\nransom note.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 1 of 11\n\nStage2: Discord Downloader\r\nDelay Of Execution\r\nThis stage 2 malware contains a possible defense evasion that might bypass AV detection technology like\r\nemulation or even sandbox testing that monitors process behavior in a period of time (let say less than 20 sec.).\r\nThe evasion is achieved by running a base64 encoded powershell that will delay its execution. The screenshot\r\nbelow shows the code it runs twice to sleep for 20 sec.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 2 of 11\n\nEncoded command\r\nPowershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\nDecoded command\r\nPowershell Start-Sleep -s 10\r\nDiscord Download\r\nAfter the sleep, Stage 2 will try to download a “.jpg” file in the discord server. The downloaded file is another .net\r\ncompiled malware which is the stage 3 that is in reverse form. By using a simple python script you can reverse it\r\nto make it a valid PE executable. Below is the screenshot of how it downloads the stage 3 malware in the discord\r\nserver.\r\nStage 3: Defense Evasion and Process Injection (File Corrupter)\r\nThe stage3 is another .net compile malware that will load its resource data to decrypt it, which is the\r\nadvancedrun.exe and the file corrupter malware.\r\nEvading Windows Defender AV\r\nAs soon as the stage3 executes, it will drop advancedrun.exe and a vbscript in %temp% folder to evade Windows\r\nDefender AV. The screenshot below shows how “Advacedrun.exe (Nirsoft Tool) was used to disable WinDefender\r\nservice and remove or delete Windows Defender directory in Programdata folder.\r\n“C:\\Users\\Administrator\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename “C:\\Windows\\System32\\sc.exe” /WindowSt\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 3 of 11\n\n“C:\\Users\\Administrator\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” /WindowState 0 /CommandLine “rmdir\r\n‘C:\\ProgramData\\Microsoft\\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run\r\nThe .vbs file drop in the%temp% folder will add C:\\ drive to the exclusion path of Windows Defender.\r\nProcess Injection - File Corrupter Malware\r\nIt will create a suspended process of InstallUtil.exe in %temp% folder to inject the file corrupter malware. Below\r\nis the CreateProcess API call for the said file to prepare its injection.\r\nBy Extracting the file that it will inject in InstallUtil.exe using WriteProcessMemory API, we were able to grab\r\nthe corruptor malware.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 4 of 11\n\nThis malware will first enumerate all the drive types connected on the compromised machine. It looks specifically\r\nfor “Fixed” or “Remote” drives as a starting point in traversing all possible files to corrupt.\r\nIf it finds a file during its enumeration, It will convert its string filename in all capital characters then check if the\r\nfile extension is in its list. Below is the screenshot of code that checks the file extension and the list of its targeted\r\nfile type.\r\nFile extension list\r\nIf the file extension is in its list, it will generate a random value that will serve as the file extension of its corrupted\r\nfile, then it will mem allocate with size of 0x100000 bytes and fill it with “0xCC” using memset API. After that it\r\nwill open the target file, overwrite it with the allocated memory fill of 0xCC bytes and rename it with the random\r\ngenerated file extension.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 5 of 11\n\nBelow is the screenshot during the corruption process of this malware, and how it overwrites the file with 0xCC\r\nthat makes it not recoverable.\r\nPing Sleep and the Melting Batch Script\r\nThis corruptor malware will try to delete itself using the known batch script command like in the screenshot\r\nbelow. Before that, it also used a ping utility tool to generate sleep for 4-5 sec.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 6 of 11\n\nDetections\r\nPing Sleep Batch Command\r\nThis analytic will identify the possible execution of ping sleep batch commands. This technique was seen in\r\nseveral malware samples and is used to trigger sleep times without explicitly calling sleep functions or\r\ncommandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_pro\r\n (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*\u0026gt;*\")\r\n by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name\r\n | `drop_dm_object_name(\"Processes\")`\r\n | `security_content_ctime(firstTime)`\r\n |`security_content_ctime(lastTime)`\r\nPowershell Remove Windows Defender Directory\r\nThis analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This\r\ntechnique was seen used by the WhisperGate malware campaign where it used Nirsoft's advancedrun.exe to gain\r\nadministrative privileges to then execute a PowerShell command to delete the Windows Defender folder.\r\n`powershell` EventCode=4104 Message = \"* rmdir *\" OR Message = \"*\\\\Microsoft\\\\Windows Defender*\"\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 7 of 11\n\nSuspicious Process With Discord DNS Query\r\nThis analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital\r\ndistribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and\r\ndownload malicious external files. A process resolving a Discord DNS name could be an indicator of malware\r\ntrying to download files from Discord for further execution.\r\n`sysmon` EventCode=22 QueryName IN (\"*discord*\") process_path != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND process_pa\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name Query\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nExcessive File Deletion In WinDefender Folder\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 8 of 11\n\nThis analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen\r\nin the WhisperGate malware campaign in which adversaries abused Nirsoft's advancedrun.exe to gain\r\nadministrative privilege to then execute PowerShell commands to delete files within the Windows Defender\r\napplication folder.\r\n`sysmon` EventCode=23 TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender*\"\r\n | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by user E\r\n |where count \u003e=50\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nWindows InstallUtil in Non Standard Path\r\nThe following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location.\r\nWindows NirSoft AdvancedRun\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 9 of 11\n\nThe following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other\r\nremote programs like psexec.\r\nWindows DotNet Binary in Non Standard Path\r\nThe following analytic identifies native .net binaries within the Windows operating system that may be abused by\r\nadversaries by moving it to a new directory.\r\nSplunk Security Content\r\nMitigation\r\nAs outlined in CISA Alert (AA22-011A) and other CISA recently released a communication on how to Implement\r\nCybersecurity Measures in order to protect against potential critical threats, here are some steps organizations can\r\ntake right now in order to protect themselves.\r\nEnsure software is up to date, prioritize updates that address known exploited vulnerabilities.\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 10 of 11\n\nSplunk ESCU has extensive coverage of destructive software including ransomware and crime carrier\r\npayloads. Download ESCU and perform some preventative detection and monitoring for these threats.\r\nTest, verify, and validate your perimeter defenses and remote access policies\r\nApply equivalent security policies within your organization perimeter to your Cloud resources.\r\nEnsure there are disaster recovery, business continuity, and incident response resources on standby in case\r\nof intrusion or attack.\r\nFollow CISA recommendations as outlined in:\r\nhttps://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a\r\nhttps://www.cisa.gov/cyber-hygiene-services\r\nLearn More\r\nYou can find the latest content about security analytic stories on research.splunk.com. For a full list of security\r\ncontent, check out the release notes on Splunk Docs.\r\nESCU v3.34.0\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank the following for their contributions to this post:\r\nRod Soto\r\nTeoderick Contreras\r\nMichael Haag\r\nJose Hernandez\r\nLou Stella\r\nMauricio Velazco\r\nSource: https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nhttps://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk"
	],
	"report_names": [
		"threat-advisory-strt-ta02-destructive-software.html?splunk"
	],
	"threat_actors": [],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b35d71b7061368de087180f4e8187f7d8d963509.pdf",
		"text": "https://archive.orkl.eu/b35d71b7061368de087180f4e8187f7d8d963509.txt",
		"img": "https://archive.orkl.eu/b35d71b7061368de087180f4e8187f7d8d963509.jpg"
	}
}