Create HiCrypt_Ransomware Rule

HiCrypt_Ransomware

@@ -0,0 +1,26 @@
+rule HiCrypt_Ransomware {
+    meta:
+		  Author = "InQuest Labs"
+		  Category = "Malicious Characteristics"
+		  Creation_Date = "2022-11-04T20:51:11"
+		  Description = "This signature detects the HiCrypt Ransomware executable. This ransomware deletes backups then encrypts files while covering its tracks by clearing logs on the host it infects."
+		  EventID = "5001909"
+		  Last_Revision_Date = "2022-11-10T18:52:43"
+		  Mitre_Tactics = "TA0002 - Execution,TA0005 - Defense Evasion,TA0007 - Discovery,TA0011 - Command and Control"
+		  Mitre_Techniques = "T1070 - Indicator Removal on Host,T1485 - Data Destruction,T1088 - Bypass User Account Control,T1112 - Modify Registry,T1486 - Data Encrypted for Impact"
+		  Name = "HiCrypt_Ransomware"
+		References = "InQuest Labs Empirical Observation"
+		Revision = "13"
+    strings:
+        $sig= "FromSiberiaWithLove" ascii wide nocase
+        $str1= "wevtutil.exe cl application" ascii wide nocase
+        $str2= "wevtutil.exe cl system" ascii wide nocase
+        $str3= "wevtutil.exe cl security" ascii wide nocase
+        $str4= "Everything.exe" ascii wide nocase
+        $cmd1= /ping \d+[.]\d \-n 5 \& fsutil file setZeroData offset\=\d length\=\d+/ ascii wide
+        $func1= {0f 10 05 d8 9e 5d 00}
+        $func2= {68 68 a2 5d 00}
+        $func3= {68 14 a4 5d 00}
+    condition:
+        (uint16(0) == 0x5a4d and $cmd1 and $sig and 3 of ($func*) and 2 of ($str*))
+}