Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

36 lines (36 sloc) 1.15 KB
title: Winnti Malware HK University Campaign
id: 3121461b-5aa0-4a41-b910-66d25524edbb
status: experimental
description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
references:
- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
tags:
- attack.defense_evasion
- attack.t1073
- attack.g0044
author: Florian Roth, Markus Neis
date: 2020/02/01
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|contains:
- 'C:\Windows\Temp'
- '\hpqhvind.exe'
Image|startswith: 'C:\ProgramData\DRM'
selection2:
ParentImage|startswith: 'C:\ProgramData\DRM'
Image|endswith: '\wmplayer.exe'
selection3:
ParentImage|endswith: '\Test.exe'
Image|endswith: '\wmplayer.exe'
selection4:
Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
selection5:
ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
Image|endswith: '\SearchFilterHost.exe'
condition: 1 of them
falsepositives:
- Unlikely
level: critical
You can’t perform that action at this time.