diff --git a/HiCrypt_Ransomware b/HiCrypt_Ransomware new file mode 100644 index 0000000..28fbf2c --- /dev/null +++ b/HiCrypt_Ransomware @@ -0,0 +1,26 @@ +rule HiCrypt_Ransomware { + meta: + Author = "InQuest Labs" + Category = "Malicious Characteristics" + Creation_Date = "2022-11-04T20:51:11" + Description = "This signature detects the HiCrypt Ransomware executable. This ransomware deletes backups then encrypts files while covering its tracks by clearing logs on the host it infects." + EventID = "5001909" + Last_Revision_Date = "2022-11-10T18:52:43" + Mitre_Tactics = "TA0002 - Execution,TA0005 - Defense Evasion,TA0007 - Discovery,TA0011 - Command and Control" + Mitre_Techniques = "T1070 - Indicator Removal on Host,T1485 - Data Destruction,T1088 - Bypass User Account Control,T1112 - Modify Registry,T1486 - Data Encrypted for Impact" + Name = "HiCrypt_Ransomware" + References = "InQuest Labs Empirical Observation" + Revision = "13" + strings: + $sig= "FromSiberiaWithLove" ascii wide nocase + $str1= "wevtutil.exe cl application" ascii wide nocase + $str2= "wevtutil.exe cl system" ascii wide nocase + $str3= "wevtutil.exe cl security" ascii wide nocase + $str4= "Everything.exe" ascii wide nocase + $cmd1= /ping \d+[.]\d \-n 5 \& fsutil file setZeroData offset\=\d length\=\d+/ ascii wide + $func1= {0f 10 05 d8 9e 5d 00} + $func2= {68 68 a2 5d 00} + $func3= {68 14 a4 5d 00} + condition: + (uint16(0) == 0x5a4d and $cmd1 and $sig and 3 of ($func*) and 2 of ($str*)) +}