PrikormkaDropper

Hunt Hypothesis

The PrikormkaDropper rule detects potential malicious dropper activity by identifying suspicious file artifacts commonly associated with initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule PrikormkaDropper
{
    
    strings:
        $mz = { 4D 5A }
        $kd1 = "KDSTORAGE" wide
        $kd2 = "KDSTORAGE_64" wide
        $kd3 = "KDRUNDRV32" wide
        $kd4 = "KDRAR" wide
        $bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
        $bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
        $bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00}
        $inj1 = "?AVCinj2008Dlg@@" ascii
        $inj2 = "?AVCinj2008App@@" ascii

    condition:
        ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to deploy a legitimate configuration script that includes base64 encoded content for a legitimate tool (e.g., Chocolatey or Packer).
  Filter/Exclusion: Check for the presence of known legitimate tools in the script or use a filter like process.name != "powershell.exe" or process.args !~ "base64".

• Scenario: A scheduled job runs a script that decompresses a ZIP file containing legitimate software updates (e.g., from Microsoft Update or Adobe AIR).
  Filter/Exclusion: Exclude processes associated with known update mechanisms or use a filter like process.name != "schtasks.exe" or file.name != "update.zip".

• Scenario: A Windows service is configured to run a script that unpacks a legitimate application installer (e.g., 7-Zip or WinRAR) during installation.
  Filter/Exclusion: Exclude processes related to known installers or use a filter like process.name != "svchost.exe" or file.name != "installer.exe".

• Scenario: An IT admin is using PowerShell to automate the deployment of a legitimate payload (e.g., Ansible or Chef) that includes encoded data for configuration purposes.
  Filter/Exclusion: Use a filter like process.name != "powershell.exe" or check for the presence of known automation tools in the script.

• Scenario: A remote management tool (e.g., Microsoft Intune, Microsoft Endpoint Manager, or Configuration Manager) is unpacking a payload as part of a legitimate software distribution process.
  Filter/Exclusion: Exclude processes associated with known enterprise management tools or use a filter like `process.name != “msiexec.exe