The ThreatFox: TinyLoader IOCs rule detects potential adversary activity associated with the TinyLoader malware, which is commonly used to deliver ransomware and other malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or system disruption.
IOC Summary
Malware Family: TinyLoader Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | d13cad682fd5abb767313f79c1732822 | payload | 2026-06-11 | 95% |
| sha256_hash | b3e6200b05e579b9577686e9f510338b197fe392483f3d2eb50398d3097573cb | payload | 2026-06-11 | 95% |
| sha1_hash | 2a6ff4571b915d61b60ecc2922d342f07bdfb71d | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - TinyLoader
let malicious_hashes = dynamic(["d13cad682fd5abb767313f79c1732822", "b3e6200b05e579b9577686e9f510338b197fe392483f3d2eb50398d3097573cb", "2a6ff4571b915d61b60ecc2922d342f07bdfb71d"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Chocolatey to install legitimate software
Filter/Exclusion: Check for ProcessName containing “choco” or “Chocolatey” and filter out packages known to be safe (e.g., 7zip, Notepad++)
Scenario: PowerShell scheduled job running a legitimate script for system maintenance
Filter/Exclusion: Filter out processes with ProcessName “powershell” and check for known safe scripts or paths (e.g., C:\Windows\System32\ or C:\Program Files\)
Scenario: Windows Task Scheduler executing a legitimate administrative task (e.g., log cleanup)
Filter/Exclusion: Exclude tasks with TaskName matching known system tasks or those running under SYSTEM or LocalSystem context
Scenario: Windows Event Log cleanup or archiving using LogParser
Filter/Exclusion: Filter out processes with ProcessName “logparser” or check for execution from known log management tools (e.g., C:\Windows\System32\LogParser.exe)
Scenario: Docker container running a legitimate application with known IOCs in its filesystem
Filter/Exclusion: Exclude processes with ImageName or ContainerName matching known Docker images, or check for ProcessParent matching Docker daemon (dockerd.exe)