W32/KillDisk.NCV!tr

description-logoAnalysis

W32/KillDisk.NCV!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/KillDisk.NCV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This data wiper malware was first discovered on machines across multiple Ukranian organizations. It is also known as "HermeticWiper" due to it's digital certificate. The malware will disable the Volume Shadow Copy Service (VSS) and modify registry keys to disable crash dumps. It will also adjust token privileges to enable SeBackupPrivilege. It will then traverse through the physical drives, from 0 to 100, and partitions on the victim machine to destroy the data. Upon reboot, a message will appear stating that there is an error loading the operating system.

  • Below are images of the malware:

    • Figure 1: Digital certificate.


    • Figure 2: Disabling VSS.


    • Figure 3: Disabling crash dumps.


    • Figure 4: Traversing through physical drives 0-100.


    • Figure 5: Screen upon reboot after execution of malware.


  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 3f4a16b29f2f0532b7ce3e7656799125
      Sha256: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
    • Md5: 84ba0197920fd3e2b7dfa719fee09d2f
      Sha256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

description-logoOutbreak Alert

Malware known as Hermetic (or, FoxBlade) was found by cybersecurity researchers being used against organizations in Ukraine.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-12-08 91.09537
2023-11-20 91.08981
2023-11-20 91.08976
2023-03-06 91.01184
2023-02-02 91.00202
2022-07-19 90.04286
2022-05-24 90.02602
2022-03-17 90.00543
2022-03-17 90.00541
2022-03-16 90.00522