dubseven dropper registry checks

Hunt Hypothesis

Adversaries may use registry checks to load or execute the dubseven dropper, a known malware delivery mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent further lateral movement or data exfiltration.

YARA Rule

rule dubseven_dropper_registry_checks
{
    
    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Searches for registry keys checked for by the dropper"
    
    strings:
        $reg1 = "SOFTWARE\\360Safe\\Liveup"
        $reg2 = "Software\\360safe"
        $reg3 = "SOFTWARE\\kingsoft\\Antivirus"
        $reg4 = "SOFTWARE\\Avira\\Avira Destop"
        $reg5 = "SOFTWARE\\rising\\RAV"
        $reg6 = "SOFTWARE\\JiangMin"
        $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"

    condition:
        //MZ header //PE signature
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($reg*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that modifies registry keys monitored by the rule.
  Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler"

• Scenario: Windows Update or Patching Process
  Description: Windows Update or Microsoft Endpoint Manager (MEM) processes may modify registry entries during system updates.
  Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "mpsvc.exe"

• Scenario: Admin Tool for Registry Configuration
  Description: An administrator uses the built-in reg.exe or third-party tools like Regedit to modify registry keys.
  Filter/Exclusion: process.name != "reg.exe" AND process.name != "regedit.exe"

• Scenario: Antivirus or Endpoint Protection Configuration
  Description: Antivirus software (e.g., Kaspersky, Bitdefender, Microsoft Defender) may write to registry keys during configuration or signature updates.
  Filter/Exclusion: process.name != "mpcmdrun.exe" AND process.name != "kavsvc.exe" AND process.name != "bdagent.exe"

• Scenario: Custom Script or Configuration Management Tool
  Description: A script or tool like Chef, Puppet, or Ansible modifies registry keys during configuration management tasks.
  Filter/Exclusion: process.name != "chef-client.exe" AND process.name != "puppet.exe" AND process.name != "ansible.exe"