{
	"id": "46b4780b-f60e-479c-852b-90a95c89a284",
	"created_at": "2026-04-10T03:20:36.32704Z",
	"updated_at": "2026-04-10T03:22:18.027913Z",
	"deleted_at": null,
	"sha1_hash": "b4e4271e5e94bfd137337de2746ec71eacb33311",
	"title": "Detecting HermeticWiper | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4821153,
	"plain_text": "Detecting HermeticWiper | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-03-10 · Archived: 2026-04-10 02:43:28 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nAs stated in our previous threat advisory STRT-TA02 in regards to destructive software, past historical data\r\nsuggests that for malicious actors to succeed in long-standing campaigns they must improve and add new ways of\r\nmaking their payloads stealthier, resistant, and damaging. HermeticWiper introduces some unique features,\r\napplying destructive actions on compromised hosts. In addition to other commonly known wiper destructive\r\nfeatures, HermeticWiper also presents the following unique behaviors:\r\nInteracts with the system via signed driver\r\nDisables crash dump functionality (Anti-Forensic)\r\nModifies “GlobalFolderOptions” registry at file permission level (NTFS)\r\nChecks for FAT (Windows XP) and NTFS (Windows OS newer than XP using NTFS)\r\nCorrupts (Destroys) MBR and NTFS file system\r\nReported to have been deployed via Group Policy Object (Windows Active Directory Group Policy Object)\r\nThis payload is another destructive tool in the ongoing campaign which has included DDoS attacks, web\r\ndefacements, MDM attacks, Microsoft SQL attacks and now two known as of yet destructive payloads.\r\nSTRT has also released a new analytic story covering HermeticWiper itself. We have collected information about\r\nthe observed vectors in relation to HermeticWiper according to several security vendors including Symantec,\r\nESET, Sentinel One. The following diagram shows a visual flow of the observed attack vectors per tactic.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 1 of 14\n\nAs seen above malicious actors are gaining initial access by either compromising publicly exposed services or via\r\nspear phishing, following the establishment of persistence and privilege escalation via web shells or the use of\r\nschtasks, PowerShell payloads, and finally deploying additional payloads via certutil.exe or Powershell which\r\ninclude genuine wiper payloads and ransomware decoy binaries seeking to distract and delay defense and\r\ncontainment from defenders. Here is a brief breakdown of HermeticWiper features and detections.\r\nHermeticWiper Analysis\r\nSigned driver (hermetic name reference)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 2 of 14\n\nDropping Driver Component Base on Windows Version (XP or above)\r\nThis wiper will first adjust its token privileges with “SeShutdownPrivilege” and “SeBackupPrivilege” for later\r\npurposes like initiating shutdown or accessing files with high-security descriptor context.\r\nIt contains 4 compressed drivers in its RSRCsection. It will drop one of those drivers depending on the Windows\r\nversion or OS architecture of the compromised host by using VerifyVersionW API. Below is the summary table of\r\nthe RSRC TYPE ID and the name of its rsrc entry for each driver.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 3 of 14\n\nThen it will generate random characters based on the current process ID of its running process. Once the wiper\r\nparses the needed rsrc entry, and has a filename, It will locate the C:\\windows\\system32\\Drivers folder to drop its\r\ndriver component.\r\nThe driver extracted from the rsrc section of this wiper is in LZW compressed (SZDD file format). The screenshot\r\nbelow shows how it uses LZ API to decompress that to retrieve the actual driver binary file.\r\nInterestingly during analysis, we found out that it drops both the compressed driver (\u003c4 char random name\u003e\r\nwithout file extension) and also the actual driver (\u003c4 char random name\u003e with .sys file extension) in\r\nC:\\windows\\system32\\Drivers. Then it will delete the compressed version afterwards.\r\nDisable Crash Dump\r\nIt also has some features where it disables the generation of crash dumps of the compromised host that serve as\r\nanti-forensic techniques. This is done by modifying a registry as shown in the screenshot below:\r\nLoading The Driver\r\nThe way it loads its driver component is by creating a service entry for that file. First It will adjust its token\r\nprivilege with “SeLoadDriverPrivilege”. If the service related to its driver does not exist it will just create and start\r\na new service for it using CreateServiceW() and StartServiceW() API. If it already exists but is not active, it will\r\nmodify the service config of that kernel driver to DEMAND_START to start the service. Below is the code, how it\r\nuses ChangeServiceConfigW() API to change the status of its driver if it is not active. This driver is a legitimate\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 4 of 14\n\ncomponent of the EaseUS Partition Master application. This file was leveraged by this wiper to interact and\r\nretrieve storage device information for its destructive purposes.\r\nCorrupting Boot Sectors\r\nThe wiper starts to enumerate all possible physical devices connected to the compromised host (range 0-100\r\ndevice). Below is the code how it enumerates all the devices and retrieves partition information of each device\r\nusing DeviceIoControl() API. The function named “mw_GetDeviceNumberAndGeometry” is the function it uses\r\nto check if the physical device is “FILE_DEVICE_DISK” type or not.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 5 of 14\n\nIt also checks what File System type is present at Device, if it is either “NTFS” OR “FAT”. This checking will\r\nhelp the wiper to enumerate all of its partitions to corrupt all possible boot records on it. It also looks for known\r\nNTFS files like $Bitmap, $LogFile, $DATA, and many more to be overwritten as part of its file destruction\r\npayload.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 6 of 14\n\nBelow is the code of the Volume Boot Record partition before and after the infection of Hermetic wiper to the\r\ncompromised host.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 7 of 14\n\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 8 of 14\n\nOther Registry Modification\r\nIt also has a thread that will modify certain GlobalFolderOptions registry related to showing compressed files and\r\ninformation tips.\r\nTrigger Shutdown\r\nAnother thread of this malware is responsible for shutting down the compromised host to make the corruption of\r\nboot sectors take effect.\r\nOther Behaviors\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 9 of 14\n\n1. Check the C:\\Windows\\SYSVOL attribute using GetFileAttributeW() API. If the API returns an invalid\r\nhandle(possible return if the folder path does not exist) or if it is a folder path it will continue the execution\r\nif not exit the process.\r\n2. Disables the VSS service which is related to volume shadow copy service to disable creation of backup\r\ncopies.\r\nIt also has a function that can dismount or lock a disk volume.\r\nPartyTicket Analysis\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 10 of 14\n\nDuring eset analysis in this incident, they found another binary where they named it as “Hermetic Ransom”. This\r\nis a Golang compiled ransomware binary where it tries to encrypt files in the compromised host. Below is the\r\nscreenshot of its code snippet where it renames the encrypted files with “.encryptedJB” file extension.\r\nIt will also drop a ransomware note in the desktop named as “read_me.html” to inform the user that their machine\r\nis compromised and encrypted.\r\nAside from its encryption features, this binary uses strings to its code function name that reference US President\r\nBiden.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 11 of 14\n\nDetections\r\nThe following detections are focused specifically on HermeticWiper, Splunk STRT has a significant number of\r\nanalytic stories that cover Ransomware which should also be considered when detecting and hunting for these\r\ntypes of threats.\r\nWindows File Without Extension In Critical Folder\r\nThis analytic is to look for suspicious file creation in the critical folder like \"System32\\Drivers\" folder without file\r\nextension.\r\nWindows Raw Access To Master Boot Record Drive\r\nThis analytic is to look for suspicious raw access read to the device where the master boot record is placed.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 12 of 14\n\nWindows Disable Memory Crash Dump\r\nThe following analytic identifies a process that is attempting to disable the ability on Windows to generate a\r\nmemory crash dump.\r\nWindows Modify Show Compress Color And Info Tip Registry\r\nThis analytic is to look for suspicious registry modification related to file compression color and information tips.\r\nMitigation\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 13 of 14\n\nMany of these exploits can be prevented by following CISA guides for preparation and hardening of systems,\r\napplications, and networks, including MDM attacks as well. There is also a free HermeticRansom/PartyTicket\r\ndecryptor by AVAST and CrowdStrike. The following table shows Splunk coverage of the aforementioned attack\r\nvectors in this ongoing campaign.\r\nHermeticWiper Analytic Story is available in ESCU release v3.36.0\r\nAlso available from Splunk SOAR for automated response against these threats:\r\nRansomware Investigate \u0026 Contain\r\nSuspicious Email Domain Enrichment\r\nCrowdstrike Malware Triage\r\nLearn More\r\nYou can find the latest content about security analytic stories on research.splunk.com. For a full list of security\r\ncontent, check out the release notes on Splunk Docs.\r\nContributors\r\nWe would like to thank the following for their contributions to this post.\r\nTeoderick Contreras\r\nRod Soto\r\nJose Hernandez\r\nPatrick Barreiss\r\nLou Stella\r\nMauricio Velazco\r\nMichael Haag\r\nBhavin Patel\r\nEric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nhttps://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html"
	],
	"report_names": [
		"detecting-hermeticwiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791236,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4e4271e5e94bfd137337de2746ec71eacb33311.pdf",
		"text": "https://archive.orkl.eu/b4e4271e5e94bfd137337de2746ec71eacb33311.txt",
		"img": "https://archive.orkl.eu/b4e4271e5e94bfd137337de2746ec71eacb33311.jpg"
	}
}