Stuxnet Sample - file ~WTR4141.tmp

Hunt Hypothesis

The detection identifies potential Stuxnet malware activity through the presence of a suspicious temporary file, indicating possible adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging legacy malware techniques.

YARA Rule

rule Stuxnet_Malware_3 
{

    meta:
        description = "Stuxnet Sample - file ~WTR4141.tmp"
        author = "Florian Roth"
        reference = "Internal Research"
        date = "2016-07-09"
        hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a"
        hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b"

    strings:
        $x1 = "SHELL32.DLL.ASLR." fullword wide
        $s1 = "~WTR4141.tmp" fullword wide
        $s2 = "~WTR4132.tmp" fullword wide
        $s3 = "totalcmd.exe" fullword wide
        $s4 = "wincmd.exe" fullword wide
        $s5 = "http://www.realtek.com0" fullword ascii
        $s6 = "{%08x-%08x-%08x-%08x}" fullword wide

    condition:
        ( uint16(0) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ($s*) ) ) or ( 5 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• Internal Research
• Source Rule

False Positive Guidance

• Scenario: Temporary file generated by a legitimate backup tool
  Description: A backup tool like Veeam or Commvault may generate temporary files with similar naming patterns during a backup process.
  Filter/Exclusion: Check the file path and process origin. Use a filter like:

  (process.name = "veeam.exe" or process.name = "commvault.exe") and (file.path contains "backup")

• Scenario: Scheduled job creating a temporary file for log processing
  Description: A system or application log processing job (e.g., Splunk, ELK Stack, or Logstash) may create temporary files named similarly during data ingestion.
  Filter/Exclusion: Filter by process name and job context:

  (process.name = "splunkd.exe" or process.name = "logstash.exe") and (file.path contains "temp" or file.path contains "logs")

• Scenario: User-generated temporary file during software installation
  Description: A user may manually create a file named ~WTR4141.tmp during a software installation or configuration process, especially with tools like Chocolatey or WSL.
  Filter/Exclusion: Check for user-initiated actions and file creation context:

  (user.name != "system") and (process.name contains "choco" or process.name contains "wsl.exe")

• Scenario: Antivirus or endpoint protection tool creating a temporary file
  Description: Security tools like Kaspersky, Bitdefender, or Malwarebytes may generate temporary files during scan operations.
  Filter/Exclusion: Filter by known security tool processes:

  (process.name contains "kav"