The PrikormkaModule YARA rule detects potential adversary behavior involving the execution of suspicious modules associated with known malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule PrikormkaModule
{
strings:
$mz = { 4D 5A }
// binary
$str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
$str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65}
$str3 = {00 6B 6C 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
$str4 = {69 6F 6D 75 73 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67}
$str5 = {61 74 69 6D 6C 2E 64 6C 6C 00 4B 69 63 6B 49 6E 50 6F 69 6E 74}
$str6 = {73 6E 6D 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64}
$str7 = {73 63 72 73 68 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64}
// encrypted
$str8 = {50 52 55 5C 17 51 58 17 5E 4A}
$str9 = {60 4A 55 55 4E 53 58 4B 17 52 57 17 5E 4A}
$str10 = {55 52 5D 4E 5B 4A 5D 17 51 58 17 5E 4A}
$str11 = {60 4A 55 55 4E 61 17 51 58 17 5E 4A}
$str12 = {39 5D 17 1D 1C 0A 3C 57 59 3B 1C 1E 57 58 4C 54 0F}
// mutex
$str13 = "ZxWinDeffContex" ascii wide
$str14 = "Paramore756Contex43" wide
$str15 = "Zw_&one@ldrContext43" wide
// other
$str16 = "A95BL765MNG2GPRS"
// dll names
$str17 = "helpldr.dll" wide fullword
$str18 = "swma.dll" wide fullword
$str19 = "iomus.dll" wide fullword
$str20 = "atiml.dll" wide fullword
$str21 = "hlpuctf.dll" wide fullword
$str22 = "hauthuid.dll" ascii wide fullword
// rbcon
$str23 = "[roboconid][%s]" ascii fullword
$str24 = "[objectset][%s]" ascii fullword
$str25 = "rbcon.ini" wide fullword
// files and logs
$str26 = "%s%02d.%02d.%02d_%02d.%02d.%02d.skw" ascii fullword
$str27 = "%02d.%02d.%02d_%02d.%02d.%02d.%02d.rem" wide fullword
// pdb strings
$str28 = ":\\!PROJECTS!\\Mina\\2015\\" ascii
$str29 = "\\PZZ\\RMO\\" ascii
$str30 = ":\\work\\PZZ" ascii
$str31 = "C:\\Users\\mlk\\" ascii
$str32 = ":\\W o r k S p a c e\\" ascii
$str33 = "D:\\My\\Projects_All\\2015\\" ascii
$str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
condition:
($mz at 0) and (any of ($str*))
}This YARA rule can be deployed in the following contexts:
This rule contains 35 string patterns in its detection logic.
Scenario: A legitimate system update or patching process includes a file named PrikormkaModule as part of a software deployment tool.
Filter/Exclusion: Check for file paths containing known deployment tools (e.g., \\WindowsUpdate\\, \\Microsoft\\, \\PatchManagement\\) or use a file hash whitelist for trusted update packages.
Scenario: A system administrator is using a third-party security tool (e.g., Malwarebytes, Bitdefender, or Kaspersky) that includes a module named PrikormkaModule for internal analysis or testing.
Filter/Exclusion: Exclude files located in directories associated with security tools (e.g., C:\Program Files\Malwarebytes\, C:\Program Files\Kaspersky\) or use a process name filter (e.g., mbam.exe, kavsvc.exe).
Scenario: A scheduled job runs a script or executable that temporarily creates a file named PrikormkaModule in a temporary directory (e.g., C:\Windows\Temp\) as part of a legitimate automation task.
Filter/Exclusion: Exclude files in temporary directories or filter by file creation time within a specific window (e.g., during scheduled maintenance windows).
Scenario: A developer or DevOps team is testing a custom module or plugin named PrikormkaModule for a legitimate application (e.g., Docker, Ansible, or Chef) and it appears in the system logs.
Filter/Exclusion: Exclude files in development directories (e.g., C:\Dev\, C:\Projects\) or filter by process name associated with the development tool (e.g., dockerd.exe, ansible.exe).
Scenario: A legitimate enterprise application (e.g., Microsoft Endpoint Protection,