Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Lockscreen
This threat is a lockscreen trojan designed to render a system unusable by locking the user out. It overwrites the Master Boot Record (MBR) and terminates critical system processes to prevent user recovery, effectively holding the computer hostage.
Relevant strings associated with this threat: - C:\MBR.bin (PEHSTR_EXT) - C:\Users\Public\monkeiii.dll (PEHSTR_EXT) - /c TASKKILL /F /FI "Imagename ne (PEHSTR_EXT) - AntiWinLockerTray.exe (PEHSTR_EXT)
rule Trojan_Win32_Lockscreen_AMMD_2147905528_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Lockscreen.AMMD!MTB"
threat_id = "2147905528"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Lockscreen"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "12"
strings_accuracy = "High"
strings:
$x_2_1 = "WINLOCKBYAMPBYAMPBYAMPfsdjf" ascii //weight: 2
$x_2_2 = "C:\\MBR.bin" ascii //weight: 2
$x_2_3 = "DisableChangePassword" ascii //weight: 2
$x_2_4 = "C:\\Users\\Public\\monkeiii.dll" ascii //weight: 2
$x_2_5 = "/c TASKKILL /F /FI \"Imagename ne" ascii //weight: 2
$x_2_6 = "AntiWinLockerTray.exe" ascii //weight: 2
condition:
(filesize < 20MB) and
(all of ($x*))
}8a17462c08ceeb2a307fe0e1a467107ee4c9c801db7e021d12eebb0a9722efdfIsolate the endpoint from the network immediately. Boot from Windows Recovery Media to repair the Master Boot Record using the 'bootrec /fixmbr' command. After restoring boot functionality, perform a full antivirus scan from a safe environment to remove the dropped files (MBR.bin, monkeiii.dll).