Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Sigma rule (View on GitHub)
1title: Renamed Gpg.EXE Execution
2id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
3status: experimental
4description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
5references:
6 - https://securelist.com/locked-out/68960/
7author: Nasreddine Bencherchali (Nextron Systems), frack113
8date: 2023/08/09
9tags:
10 - attack.impact
11 - attack.t1486
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 OriginalFileName: 'gpg.exe'
18 filter_main_img:
19 Image|endswith:
20 - '\gpg.exe'
21 - '\gpg2.exe'
22 condition: selection and not 1 of filter_main_*
23level: high
References
-
In this article we look at the evolution of complication of the encryption schemes used by virus writers and the methods they adopt to put pressure on their victims. At the end of the article there is some advice for users which might help them protect important files.
Read More
Related rules
- LockerGoga Ransomware Activity
- Potential Conti Ransomware Activity
- Suspicious Multiple File Rename Or Delete Occurred
- Suspicious Creation TXT File in User Desktop
- Vice Society Encrypted File Extension File Creation