Load Of RstrtMgr.DLL By An Uncommon Process
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Sigma rule (View on GitHub)
1title: Load Of RstrtMgr.DLL By An Uncommon Process
2id: 3669afd2-9891-4534-a626-e5cf03810a61
3related:
4 - id: b48492dc-c5ef-4572-8dff-32bc241c15c8
5 type: derived
6status: test
7description: |
8 Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
9 This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
10 It could also be used for anti-analysis purposes by shut downing specific processes.
11references:
12 - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
13 - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
14 - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
15 - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
16author: Luc Génaux
17date: 2023-11-28
18tags:
19 - attack.impact
20 - attack.defense-evasion
21 - attack.t1486
22 - attack.t1562.001
23logsource:
24 category: image_load
25 product: windows
26detection:
27 selection:
28 - ImageLoaded|endswith: '\RstrtMgr.dll'
29 - OriginalFileName: 'RstrtMgr.dll'
30 filter_main_generic:
31 Image|contains:
32 - ':\$WINDOWS.~BT\'
33 - ':\$WinREAgent\'
34 - ':\Program Files (x86)\'
35 - ':\Program Files\'
36 - ':\ProgramData\'
37 - ':\Windows\explorer.exe'
38 - ':\Windows\SoftwareDistribution\'
39 - ':\Windows\SysNative\'
40 - ':\Windows\System32\'
41 - ':\Windows\SysWOW64\'
42 - ':\Windows\WinSxS\'
43 - ':\WUDownloadCache\'
44 filter_main_user_software_installations:
45 Image|contains|all:
46 - ':\Users\'
47 - '\AppData\Local\Temp\is-'
48 - '.tmp\'
49 Image|endswith: '.tmp'
50 filter_main_admin_software_installations:
51 Image|contains: ':\Windows\Temp\'
52 condition: selection and not 1 of filter_main_*
53falsepositives:
54 - Other legitimate Windows processes not currently listed
55 - Processes related to software installation
56level: low
References
-
Dive into the Windows Restart Manager’s mechanisms to understand how it works, how it can be used maliciously, and how to stay protected.
Read More -
Part 2 examines how Windows Restart Manager's mechanisms can be exploited by adversaries and what you can do about it.
Read More -
Cactus Ransomware is a new threat, first identified in March 2023, with some special characteristics. The main feature of this ransomware is the auto-encryption, so the encryption of the ransomware takes place during the deployment phase, which means that the threat cannot be easily detected by EDR, XDR and anti-malware.
Read More
Related rules
- Load Of RstrtMgr.DLL By A Suspicious Process
- IISReset Used to Stop IIS Services
- WannaCry Ransomware Activity
- Portable Gpg.EXE Execution
- Suspicious Path In Keyboard Layout IME File Registry Value