← Back to Explore
sigmahighHunting
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Detection Query
selection_img:
- ImageLoaded|endswith: \RstrtMgr.dll
- OriginalFileName: RstrtMgr.dll
selection_folders_1:
Image|contains:
- :\Perflogs\
- :\Users\Public\
- \Temporary Internet
selection_folders_2:
- Image|contains|all:
- :\Users\
- \Favorites\
- Image|contains|all:
- :\Users\
- \Favourites\
- Image|contains|all:
- :\Users\
- \Contacts\
condition: selection_img and 1 of selection_folders_*
Author
Luc Génaux
Created
2023-11-28
Data Sources
windowsImage Load Events
Platforms
windows
References
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
Tags
attack.impactattack.defense-evasionattack.t1486attack.t1562.001
Raw Content
title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
- id: 3669afd2-9891-4534-a626-e5cf03810a61
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
tags:
- attack.impact
- attack.defense-evasion
- attack.t1486
- attack.t1562.001
logsource:
category: image_load
product: windows
detection:
selection_img:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
selection_folders_1:
Image|contains:
# Note: increase coverage by adding more suspicious paths
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_img and 1 of selection_folders_*
falsepositives:
- Processes related to software installation
level: high