The hypothesis is that the detection of Update.dll, associated with Winnti malware, indicates an adversary is attempting to establish persistence and execute malicious code within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage stealthy, file-based malware payloads.
YARA Rule
rule Winnti_malware_UpdateDLL
{
meta:
description = "Detects a Winnti malware - Update.dll"
author = "Florian Roth"
reference = "VTI research"
date = "2015-10-10"
score = 75
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
strings:
$c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii
$c2 = "AHDNEAFE1.sys" fullword ascii
$c3 = "SOTEFEHJ3.sys" fullword ascii
$c4 = "MainSYS64.sys" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$s4 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$s5 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
$s6 = "\\??\\pipe\\usbpcg%d" fullword wide
$s7 = "\\??\\pipe\\usbpcex%d" fullword wide
$s8 = "HOST: %s" fullword ascii
$s9 = "$$$--Hello" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and ( ( 1 of ($c*) and 3 of ($s*) ) or all of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: A system administrator is using Windows Update to install a legitimate update that includes a file named Update.dll.
Filter/Exclusion: Check the file’s signature using Windows Defender ATP or Microsoft Defender for Endpoint to confirm it is a trusted Microsoft file.
Scenario: A scheduled task is configured to run a legitimate script that temporarily creates or modifies a file named Update.dll in a temporary directory.
Filter/Exclusion: Filter by file path (e.g., C:\Windows\Temp\*) or process parent (e.g., schtasks.exe).
Scenario: A third-party application (e.g., Microsoft System Center Configuration Manager) uses a file named Update.dll as part of its deployment process.
Filter/Exclusion: Check the process name (e.g., ConfigMgr.exe or smsexec.exe) or file hash against known legitimate hashes.
Scenario: A Windows service (e.g., Windows Update service) is running and temporarily creates or modifies Update.dll during a system update.
Filter/Exclusion: Filter by process name (e.g., svchost.exe with wuauserv as the service name) or file location (e.g., C:\Windows\System32\*).
Scenario: A security tool (e.g., Malwarebytes, Bitdefender) performs a scan and generates a temporary Update.dll file as part of its analysis.
Filter/Exclusion: Filter by process name (e.g., mbam.exe, bdagent.exe) or file creation time (within a short window after a scan starts).