Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule screensaver_desktop_locker {
meta:
description = "exe - file screensaver.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68"
strings:
$x1 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec"
$s2 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec"
$s3 = "Desktop_Locker.exe" wide fullword
$s4 = "KeyEx~+" ascii fullword
$s5 = "xkernel32" ascii fullword
$s6 = "re=\"*\" publicKeyToken=\"6595b64144ccf1df\"></assemblyIdentity>" ascii fullword
$s7 = "_logb'yn=d" ascii fullword
$s8 = "ComplPe " ascii fullword
$s9 = "tNhitmP" ascii fullword
$s10 = "RUNpKI;" ascii fullword
$s11 = ".UserObjectInform1Wf;" ascii fullword
$s12 = "QUNICOD" ascii fullword
$s13 = "LPTX999" ascii fullword
$s14 = "allsig" ascii fullword
$s15 = "xaqfwd" ascii fullword
$s16 = "Gpm* YN" ascii fullword
$s17 = "6VVhU\\ " ascii fullword
$s18 = "#G3;\\0ANIi7j\\" ascii fullword
$s19 = "UnkJwn excz`>o" ascii fullword
$s20 = "dfgxA v" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 800KB and (pe.imphash() == "3fdb0650e8607422d0624242575f61f2" or (1 of ($x*) or 4 of them))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |