Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 21:37
Static task
static1
Behavioral task
behavioral1
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe
Resource
win10-en-20211104
General
-
Target
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe
-
Size
170KB
-
MD5
bec9b3480934ce3d30c25e1272f60d02
-
SHA1
104d9e31e34ba8517f701552594f1fc167550964
-
SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
-
SHA512
99ebdaf100af272678b92cdb0743cdb6a1b4a8ecc83a1fb3127dfc53bf609a655715bf9ee3a4a7dbee7ae21cb5ff98283772d9bf5641e394b7e3c21a1010cdbc
Malware Config
Extracted
C:\HowToRestoreYourFiles.txt
rook
Signatures
-
Rook
Rook is a ransomware which copies from NightSky ransomware.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened for modification C:\Users\Admin\Pictures\SelectRead.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File renamed C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened for modification C:\Users\Admin\Pictures\PopReceive.tiff.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened for modification C:\Users\Admin\Pictures\PopReceive.tiff f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File renamed C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened for modification C:\Users\Admin\Pictures\MountGet.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe -
Deletes itself 1 IoCs
pid Process 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\P: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\Z: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\X: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\N: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\W: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\E: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\J: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\K: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\L: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\R: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\T: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\M: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\Q: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\A: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\I: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\S: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\F: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\G: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\H: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\V: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\Y: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\U: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe File opened (read-only) \??\B: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 632 vssadmin.exe 456 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 964 vssvc.exe Token: SeRestorePrivilege 964 vssvc.exe Token: SeAuditPrivilege 964 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1492 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 29 PID 1864 wrote to memory of 1492 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 29 PID 1864 wrote to memory of 1492 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 29 PID 1492 wrote to memory of 632 1492 cmd.exe 31 PID 1492 wrote to memory of 632 1492 cmd.exe 31 PID 1492 wrote to memory of 632 1492 cmd.exe 31 PID 1864 wrote to memory of 1900 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 35 PID 1864 wrote to memory of 1900 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 35 PID 1864 wrote to memory of 1900 1864 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe 35 PID 1900 wrote to memory of 456 1900 cmd.exe 37 PID 1900 wrote to memory of 456 1900 cmd.exe 37 PID 1900 wrote to memory of 456 1900 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe"C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.bin.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:456
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964