Unusual file system activity involving the file “3665415_sys” may indicate potential adversary tampering or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early.
YARA Rule
rule Regin_Sample_1
{
meta:
description = "Auto-generated rule - file-3665415_sys"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
strings:
$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
$s2 = "External Naming Failed - Status %x" fullword ascii
$s3 = "------- Same multiport - different interrupts" fullword ascii
$s4 = "%x occurred prior to the wait - starting the" fullword ascii
$s5 = "'user registry info - userPortIndex: %d" fullword ascii
$s6 = "Could not report legacy device - %x" fullword ascii
$s7 = "entering SerialGetPortInfo" fullword ascii
$s8 = "'user registry info - userPort: %x" fullword ascii
$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
$s10 = "Kernel debugger is using port at address %X" fullword ascii
$s12 = "Release - freeing multi context" fullword ascii
$s13 = "Serial driver will not load port" fullword ascii
$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
$s20 = "'user registry info - userIndexed: %d" fullword ascii
condition:
all of them and filesize < 110KB and filesize > 80KB
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: System file integrity check using Microsoft Defender
Description: A scheduled task runs Microsoft Defender’s file integrity check, which may trigger the rule due to normal file scanning activity.
Filter/Exclusion: process.parent_process_name : "Windows Defender Antivirus Service"
Scenario: Windows Update installation
Description: During a Windows Update installation, system files are temporarily modified or replaced, which may be flagged by the rule.
Filter/Exclusion: process.name : "wuauclt.exe" or process.parent_process_name : "svchost.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Description: A backup job initiated by Veeam may involve copying or modifying system files, leading to false positives.
Filter/Exclusion: process.name : "vmbackup.exe" or process.parent_process_name : "Veeam Backup Service"
Scenario: PowerShell script running as part of system maintenance
Description: An admin-run PowerShell script (e.g., for log cleanup or registry maintenance) may trigger the rule due to file access.
Filter/Exclusion: process.name : "powershell.exe" and process.user : "Administrator" with a custom field indicating it’s a known maintenance script.
Scenario: Antivirus signature update
Description: An antivirus tool (e.g., Bitdefender, Kaspersky) may update its signature database, which can involve reading or writing system files.
Filter/Exclusion: process.name : "bdagent.exe" or process.name : "kavsvc.exe" depending on the antivirus tool.