Coronavirus ransomware detections
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects execution of "file2.exe", a malware file associated with CoronaVirus ransomware attacks and also the shadow copy deletion and multiple file modification IoCs associated with CoronaVirus ransomware attacks.
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "File created" AND (OBJECTNAME contains "\AppData\Local\Temp" AND OBJECTNAME endswith "exe")
Action2:
actionname = "Process started" AND PROCESSNAME = Action1.OBJECTNAME AND HOSTNAME = Action1.HOSTNAME
Action3:
actionname = "Process started" AND (PROCESSNAME endswith "vssadmin.exe" OR PROCESSNAME endswith "wbadmin.exe") AND HOSTNAME = Action1.HOSTNAME
Action4:
actionname = "File deleted" AND HOSTNAME = Action1.HOSTNAME AND PROCESSNAME = Action1.OBJECTNAME
| timewindow 10m
| groupby PROCESSNAME having COUNT >= 10
sequence:Action1 followedby Action2 within 30s followedby Action3 within 30s followedby Action4 within 5m
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.PROCESSNAME,Action1.ACCESSLIST,Action1.FILETYPE,Action2.HOSTNAME,Action2.MESSAGE,Action2.COMMANDLINE,Action2.FILE_NAME,Action2.PROCESSNAME,Action2.USERNAME,Action2.PARENTPROCESSNAME,Action2.DOMAIN,Action2.ORIGINALFILENAME,Action2.PARENTPROCESSID,Action2.PROCESSID,Action2.PRODUCT_NAME,Action2.SECURITYID,Action3.HOSTNAME,Action3.MESSAGE,Action3.COMMANDLINE,Action3.FILE_NAME,Action3.PROCESSNAME,Action3.USERNAME,Action3.PARENTPROCESSNAME,Action3.DOMAIN,Action3.ORIGINALFILENAME,Action3.PARENTPROCESSID,Action3.PROCESSID,Action3.PRODUCT_NAME,Action3.SECURITYID,Action4.timewindow.HOSTNAME,Action4.timewindow.MESSAGE,Action4.timewindow.USERNAME,Action4.timewindow.DOMAIN,Action4.timewindow.PROCESSNAME,Action4.timewindow.ACCESSLIST,Action4.timewindow.OBJECTNAME,Action4.timewindow.FILENAME,Action4.timewindow.FILETYPE
Detection
Execution Mode
realtime
Log Sources
Windows
