Portable Gpg.EXE Execution

 1title: Portable Gpg.EXE Execution
 2id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
 3status: test
 4description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
 5references:
 6    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
 7    - https://securelist.com/locked-out/68960/
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
 9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2023-08-06
11modified: 2023-11-10
12tags:
13    - attack.impact
14    - attack.t1486
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith:
21              - '\gpg.exe'
22              - '\gpg2.exe'
23        - OriginalFileName: 'gpg.exe'
24        - Description: 'GnuPG’s OpenPGP tool'
25    filter_main_legit_location:
26        Image|contains:
27            - ':\Program Files (x86)\GNU\GnuPG\bin\'
28            - ':\Program Files (x86)\GnuPG VS-Desktop\'
29            - ':\Program Files (x86)\GnuPG\bin\'
30            - ':\Program Files (x86)\Gpg4win\bin\'
31    condition: selection and not 1 of filter_main_*
32level: medium

References

• Ransom.BAT.ZARLOCK.A - Threat Encyclopedia | Trend Micro (VN)

  This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.It connects to certain websites to send and receive information.

  
  Read More

• ‘Locked Out’

  

  In this article we look at the evolution of complication of the encryption schemes used by virus writers and the methods they adopt to put pressure on their victims. At the end of the article there is some advice for users which might help them protect important files.

  
  Read More

• atomic-red-team/atomics/T1486/T1486.md at master · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Load Of RstrtMgr.DLL By A Suspicious Process
• Load Of RstrtMgr.DLL By An Uncommon Process
• AWS EC2 Disable EBS Encryption
• BlueSky Ransomware Artefacts
• LockerGoga Ransomware Activity