Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Sigma rule (View on GitHub)
1title: Load Of RstrtMgr.DLL By A Suspicious Process
2id: b48492dc-c5ef-4572-8dff-32bc241c15c8
3related:
4 - id: 3669afd2-9891-4534-a626-e5cf03810a61
5 type: derived
6status: test
7description: |
8 Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
9 This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
10 It could also be used for anti-analysis purposes by shut downing specific processes.
11references:
12 - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
13 - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
14 - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
15 - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
16author: Luc Génaux
17date: 2023-11-28
18tags:
19 - attack.impact
20 - attack.defense-evasion
21 - attack.t1486
22 - attack.t1562.001
23logsource:
24 category: image_load
25 product: windows
26detection:
27 selection_img:
28 - ImageLoaded|endswith: '\RstrtMgr.dll'
29 - OriginalFileName: 'RstrtMgr.dll'
30 selection_folders_1:
31 Image|contains:
32 # Note: increase coverage by adding more suspicious paths
33 - ':\Perflogs\'
34 - ':\Users\Public\'
35 - '\Temporary Internet'
36 selection_folders_2:
37 - Image|contains|all:
38 - ':\Users\'
39 - '\Favorites\'
40 - Image|contains|all:
41 - ':\Users\'
42 - '\Favourites\'
43 - Image|contains|all:
44 - ':\Users\'
45 - '\Contacts\'
46 condition: selection_img and 1 of selection_folders_*
47falsepositives:
48 - Processes related to software installation
49level: high
References
-
Dive into the Windows Restart Manager’s mechanisms to understand how it works, how it can be used maliciously, and how to stay protected.
Read More -
Part 2 examines how Windows Restart Manager's mechanisms can be exploited by adversaries and what you can do about it.
Read More -
Cactus Ransomware is a new threat, first identified in March 2023, with some special characteristics. The main feature of this ransomware is the auto-encryption, so the encryption of the ransomware takes place during the deployment phase, which means that the threat cannot be easily detected by EDR, XDR and anti-malware.
Read More
Related rules
- Load Of RstrtMgr.DLL By An Uncommon Process
- IISReset Used to Stop IIS Services
- WannaCry Ransomware Activity
- Portable Gpg.EXE Execution
- Suspicious Path In Keyboard Layout IME File Registry Value