The FireCrypt IOCs detect adversary behavior involving encryption of files as part of a ransomware attack, leveraging compromised systems to exfiltrate data and disrupt operations. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate ransomware activity before significant data loss or system downtime occurs.
IOC Summary
Malware Family: FireCrypt Total IOCs: 9 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | e7026b2f6adadbf070e9926e1d4b79a65044cd5c | payload | 2026-06-11 | 95% |
| md5_hash | 92bc3b1ba378c14e601c4e617ec7c422 | payload | 2026-06-11 | 95% |
| sha1_hash | 13d8b44123e6f9f9a58a9359d0a772566f4eff3b | payload | 2026-06-11 | 95% |
| md5_hash | 93996829b15b3cf1bb4bd79f2091d72f | payload | 2026-06-11 | 95% |
| sha256_hash | 3d008cb4d346a95396868f786ec6d4fe7e12a0451768f957664abba7469f2cf0 | payload | 2026-06-11 | 95% |
| sha1_hash | 8314be1136b9d1fc76350f1c7ef4cf8fe52a4acb | payload | 2026-06-11 | 95% |
| md5_hash | e06aacd6139288d5bea4a676ee0c2404 | payload | 2026-06-11 | 95% |
| sha256_hash | 73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1 | payload | 2026-06-11 | 95% |
| sha256_hash | 68a34fd6765d3a6d791e83c29e783fbe585579e08ea1ad569962e6644a3197a3 | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - FireCrypt
let malicious_hashes = dynamic(["e7026b2f6adadbf070e9926e1d4b79a65044cd5c", "92bc3b1ba378c14e601c4e617ec7c422", "13d8b44123e6f9f9a58a9359d0a772566f4eff3b", "93996829b15b3cf1bb4bd79f2091d72f", "3d008cb4d346a95396868f786ec6d4fe7e12a0451768f957664abba7469f2cf0", "8314be1136b9d1fc76350f1c7ef4cf8fe52a4acb", "e06aacd6139288d5bea4a676ee0c2404", "73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1", "68a34fd6765d3a6d791e83c29e783fbe585579e08ea1ad569962e6644a3197a3"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a tool like PowerShell or Task Scheduler to perform routine system checks or updates.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or schtasks.exe with known maintenance scripts.
Scenario: Admin Using FireCrypt for Legitimate Encryption
Description: A system administrator uses FireCrypt (a legitimate encryption tool) to encrypt sensitive data on a workstation or server.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and associated with known encryption tools like FireCrypt.exe.
Scenario: Log Collection and Analysis Tool
Description: A log analysis tool like Splunk or ELK Stack is configured to read and parse system logs, which may include paths or commands similar to FireCrypt IOCs.
Filter/Exclusion: Exclude processes related to log collection tools or those interacting with log files (*.log, *.txt, or *.csv files).
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Malwarebytes or Kaspersky performs a full system scan and temporarily creates or accesses files that match FireCrypt IOCs.
Filter/Exclusion: Exclude processes associated with known antivirus or endpoint protection software (e.g., mbam.exe, kavsvc.exe).
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads artifacts or dependencies that include files with names or paths similar to FireCrypt IOCs.
Filter/Exclusion: Exclude processes initiated by CI/CD tools or those accessing known artifact repositories (e.g., *.zip, *.tar.gz files from internal or public repos