PrikormkaEarlyVersion

Hunt Hypothesis

The PrikormkaEarlyVersion rule detects potential early-stage adversary activity associated with the Prikormka malware, likely indicating initial compromise or reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule PrikormkaEarlyVersion
{
    
    strings:
        $mz = { 4D 5A }
        $str36 = "IntelRestore" ascii fullword
        $str37 = "Resent" wide fullword
        $str38 = "ocp8.1" wide fullword
        $str39 = "rsfvxd.dat" ascii fullword
        $str40 = "tsb386.dat" ascii fullword
        $str41 = "frmmlg.dat" ascii fullword
        $str42 = "smdhost.dll" ascii fullword
        $str43 = "KDLLCFX" wide fullword
        $str44 = "KDLLRUNDRV" wide fullword
  
    condition:
        ($mz at 0) and (2 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance or patching using Windows Update or Group Policy Preferences
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gpreference.exe, or filter by ParentProcessName matching services.exe or taskhost.exe.

• Scenario: Legitimate use of PowerShell for automated configuration management (e.g., using Ansible, Chef, or Puppet)
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for command-line arguments like -File or -Command with known configuration scripts.

• Scenario: Logon scripts or Group Policy logon processing executing benign tasks
  Filter/Exclusion: Filter by ParentProcessName matching lsass.exe or gpupdate.exe, and check for CommandLine containing logon.bat, gpresult.exe, or similar script names.

• Scenario: Backup jobs using Veeam, Commvault, or Veritas NetBackup that trigger file system activity
  Filter/Exclusion: Filter by ProcessName containing veeam.exe, cvbackup.exe, or nbprocess.exe, and check for CommandLine arguments related to backup operations.

• Scenario: Administrative tasks like disk cleanup or registry maintenance using Disk Cleanup Tool or CCleaner
  Filter/Exclusion: Filter by ProcessName containing cleanmgr.exe or ccleaner.exe, and check for CommandLine arguments indicating cleanup or registry scan operations.