Magniber Ransomware Detect January – 2022


This rule contains malicous Filenames utilized by Magniber Ransomware in january, 2022

Attackers behind it Magniber ransomware, who have been exploiting IE-based vulnerabilities so far, are now targeting PCs via modern browsers such as Edge and Chrome. The Magniber ransomware is disguised as a legit update package for Edge or Chrome and comes as a signed .appx file. Installing this “update” will encrypt all user data and demand money for decryption.

  • Microsoft Defender
DeviceFileEvents | where (FolderPath contains @"\Program Files\WindowsApps\wjoiyyxzllm.exe" or FolderPath contains @"\Program Files\WindowsApps\wjoiyyxzllm.dll")
  • QRadar AQL
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (CATEGORYNAME(category) ILIKE 'File Created' or CATEGORYNAME(category) ILIKE 'Successful File Modification') and ("TargetFilename" ilike '%\Program Files\WindowsApps\wjoiyyxzllm.exe%' or "TargetFilename" ilike '%\Program Files\WindowsApps\wjoiyyxzllm.dll%')
  • Splunk
(source="WinEventLog:" (TargetFilename="\Program Files\WindowsApps\wjoiyyxzllm.exe" OR TargetFilename="\Program Files\WindowsApps\wjoiyyxzllm.dll*"))
  • Elastic Query
file.path:(\Program\ Files\WindowsApps\wjoiyyxzllm.exe OR \Program\ Files\WindowsApps\wjoiyyxzllm.dll)
  • EDR Carbon Black
filemod_name:(\Program\ Files\WindowsApps\wjoiyyxzllm.exe OR \Program\ Files\WindowsApps\wjoiyyxzllm.dll)
  • Windows PowerShell
Get-WinEvent | where {($_.message -match "TargetFilename..\Program Files\WindowsApps\wjoiyyxzllm.exe." -or $_.message -match "TargetFilename..\Program Files\WindowsApps\wjoiyyxzllm.dll.") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • RegEx
^(?:..\Program Files\WindowsApps\wjoiyyxzllm.exe.|..\Program Files\WindowsApps\wjoiyyxzllm.dll.)

Leave a Reply

Your email address will not be published.

One thought on “Magniber Ransomware Detect January – 2022

  1. Хорошо! Все бы так писали..