Skip to content

S0698 HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.1

Item Value
ID S0698
Associated Names
Type MALWARE
Version 1.0
Created 25 March 2022
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HermeticWizard can use cmd.exe for execution on compromised hosts.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs HermeticWizard has the ability to use wevtutil cl system to clear event logs.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model HermeticWizard can execute files on remote machines using DCOM.1
enterprise T1570 Lateral Tool Transfer HermeticWizard can copy files to other machines on a compromised network.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.1
enterprise T1106 Native API HermeticWizard can connect to remote shares using WNetAddConnection2W.1
enterprise T1046 Network Service Discovery HermeticWizard has the ability to scan ports on a compromised network.1
enterprise T1027 Obfuscated Files or Information HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.1
enterprise T1018 Remote System Discovery HermeticWizard can find machines on the local network by gathering known local IP addresses through DNSGetCacheDataTable, GetIpNetTable,WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY),NetServerEnum,GetTcpTable, and GetAdaptersAddresses.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 HermeticWizard has used regsvr32.exe /s /i to execute malicious payloads.1
enterprise T1218.011 Rundll32 HermeticWizard has the ability to create a new process using rundll32.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution HermeticWizard can use OpenRemoteServiceManager to create a service.1
enterprise T1047 Windows Management Instrumentation HermeticWizard can use WMI to create a new process on a remote machine via C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll.1

References