Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
24-11-2021 14:49
Static task
static1
Behavioral task
behavioral1
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
Resource
win10-en-20211014
General
-
Target
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
-
Size
170KB
-
MD5
bec9b3480934ce3d30c25e1272f60d02
-
SHA1
104d9e31e34ba8517f701552594f1fc167550964
-
SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
-
SHA512
99ebdaf100af272678b92cdb0743cdb6a1b4a8ecc83a1fb3127dfc53bf609a655715bf9ee3a4a7dbee7ae21cb5ff98283772d9bf5641e394b7e3c21a1010cdbc
Malware Config
Extracted
C:\HowToRestoreYourFiles.txt
a)rook@onionmail.org
b)securityRook@onionmail.org
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EditTrace.tiff f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\ApproveRepair.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\ConvertWatch.tif.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\SplitAssert.tiff => C:\Users\Admin\Pictures\SplitAssert.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\SplitAssert.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\UpdateCheckpoint.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\EditTrace.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\FindCompare.crw => C:\Users\Admin\Pictures\FindCompare.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\FindCompare.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\InvokeOut.png => C:\Users\Admin\Pictures\InvokeOut.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\LimitRename.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\SplitAssert.tiff f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\ApproveRepair.raw => C:\Users\Admin\Pictures\ApproveRepair.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\ConvertWatch.tif => C:\Users\Admin\Pictures\ConvertWatch.tif.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\HideUpdate.tif => C:\Users\Admin\Pictures\HideUpdate.tif.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\HideUpdate.tif.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\LimitRename.png => C:\Users\Admin\Pictures\LimitRename.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\UpdateCheckpoint.raw => C:\Users\Admin\Pictures\UpdateCheckpoint.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\EditTrace.tiff => C:\Users\Admin\Pictures\EditTrace.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\InvokeOut.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Deletes itself 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid process 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exedescription ioc process File opened (read-only) \??\F: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\J: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\L: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Q: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\W: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Y: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\A: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\S: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\X: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\K: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\E: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\R: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\T: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\O: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\P: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\U: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\G: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Z: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\V: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\I: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\H: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\B: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\N: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\M: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1388 vssadmin.exe 1144 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 364 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid process 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid process 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 364 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.execmd.execmd.exedescription pid process target process PID 976 wrote to memory of 1316 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 976 wrote to memory of 1316 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 976 wrote to memory of 1316 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 1316 wrote to memory of 1388 1316 cmd.exe vssadmin.exe PID 1316 wrote to memory of 1388 1316 cmd.exe vssadmin.exe PID 1316 wrote to memory of 1388 1316 cmd.exe vssadmin.exe PID 976 wrote to memory of 1732 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 976 wrote to memory of 1732 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 976 wrote to memory of 1732 976 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe cmd.exe PID 1732 wrote to memory of 1144 1732 cmd.exe vssadmin.exe PID 1732 wrote to memory of 1144 1732 cmd.exe vssadmin.exe PID 1732 wrote to memory of 1144 1732 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe"C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HowToRestoreYourFiles.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\HowToRestoreYourFiles.txtMD5
00f71cde522689585eaa9c62385afa22
SHA1350e319806f7a71267a5e4a749eb190ead38dbb0
SHA256b14ec2fcccac5059464e800edf56049c0277124abd60ee49c1f726861df925bf
SHA51247442d335f16e259c4593370467c741ac2b41f329330afdd649b89b44c4233edd7d2af70883403993d6022c617235c20b89ae667ca4b3f82d678836adc34f4df
-
memory/976-55-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1144-59-0x0000000000000000-mapping.dmp
-
memory/1316-56-0x0000000000000000-mapping.dmp
-
memory/1388-57-0x0000000000000000-mapping.dmp
-
memory/1732-58-0x0000000000000000-mapping.dmp