The rule detects the presence of a suspicious binary file potentially associated with memory-resident malware that may evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that leverage fileless execution techniques.
YARA Rule
rule Regin_Sample_2
{
meta:
description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
strings:
$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
$s1 = "atapi.sys" fullword wide
$s2 = "disk.sys" fullword wide
$s3 = "IoGetRelatedDeviceObject" fullword ascii
$s4 = "HAL.dll" fullword ascii
$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
$s6 = "PsGetCurrentProcessId" fullword ascii
$s7 = "KeGetCurrentIrql" fullword ascii
$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
$s9 = "KeSetImportanceDpc" fullword ascii
$s10 = "KeQueryPerformanceCounter" fullword ascii
$s14 = "KeInitializeEvent" fullword ascii
$s15 = "KeDelayExecutionThread" fullword ascii
$s16 = "KeInitializeTimerEx" fullword ascii
$s18 = "PsLookupProcessByProcessId" fullword ascii
$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: System File Integrity Check Using Microsoft’s Sigcheck Tool
Description: A security administrator is using Sigcheck to verify the integrity of system files, which may include checking files with suspicious names or hashes.
Filter/Exclusion: process.name != "sigcheck.exe" or process.parent.name != "cmd.exe" and process.parent.name != "powershell.exe"
Scenario: Scheduled System Maintenance Task Using Task Scheduler
Description: A legitimate scheduled task is running a maintenance script that temporarily creates or modifies files in system directories.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "services.exe"
Scenario: Antivirus or Endpoint Protection Scan Using Windows Defender
Description: Windows Defender or another EPP tool is performing a full system scan, which may temporarily create or access files with similar names.
Filter/Exclusion: process.name != "WindowsDefender.exe" or process.name != "mpsvc.exe"
Scenario: Software Deployment via Group Policy or SCCM
Description: A system administrator is deploying software using Group Policy or SCCM, which may involve copying or unpacking files with similar names.
Filter/Exclusion: process.name != "msiexec.exe" or process.name != "gpupdate.exe"
Scenario: Debugging or Analysis Using WinDbg or Procmon
Description: A developer or analyst is using WinDbg or Process Monitor to debug or analyze a process, which may involve interacting with files in memory or on disk.
Filter/Exclusion: process.name != "procmon.exe" or process.name != "windbg.exe"