Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-01-2022 18:27
Static task
static1
Behavioral task
behavioral1
Sample
rook1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
rook1.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
rook1.exe
Resource
macos
Behavioral task
behavioral4
Sample
rook1.exe
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
rook1.exe
-
Size
5.4MB
-
MD5
4f7adc32ec67c1a55853ef828fe58707
-
SHA1
36de7997949ac3b9b456023fb072b9a8cd84ade8
-
SHA256
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b
-
SHA512
a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74
Malware Config
Extracted
C:\HowToRestoreYourFiles.txt
rook
Signatures
-
Rook
Rook is a ransomware which copies from NightSky ransomware.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConnectShow.png => C:\Users\Admin\Pictures\ConnectShow.png.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\DebugUninstall.tif.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\ReceiveRequest.tiff rook1.exe File renamed C:\Users\Admin\Pictures\PushPublish.raw => C:\Users\Admin\Pictures\PushPublish.raw.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\PushPublish.raw.Rook rook1.exe File renamed C:\Users\Admin\Pictures\WaitRequest.png => C:\Users\Admin\Pictures\WaitRequest.png.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\WaitRequest.png.Rook rook1.exe File renamed C:\Users\Admin\Pictures\CompareStop.raw => C:\Users\Admin\Pictures\CompareStop.raw.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\ConnectShow.png.Rook rook1.exe File renamed C:\Users\Admin\Pictures\DebugUninstall.tif => C:\Users\Admin\Pictures\DebugUninstall.tif.Rook rook1.exe File renamed C:\Users\Admin\Pictures\ReceiveRequest.tiff => C:\Users\Admin\Pictures\ReceiveRequest.tiff.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\ReceiveRequest.tiff.Rook rook1.exe File opened for modification C:\Users\Admin\Pictures\CompareStop.raw.Rook rook1.exe -
resource yara_rule behavioral1/memory/1628-55-0x000000013F9E0000-0x00000001402FD000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: rook1.exe File opened (read-only) \??\E: rook1.exe File opened (read-only) \??\T: rook1.exe File opened (read-only) \??\O: rook1.exe File opened (read-only) \??\P: rook1.exe File opened (read-only) \??\S: rook1.exe File opened (read-only) \??\B: rook1.exe File opened (read-only) \??\Q: rook1.exe File opened (read-only) \??\H: rook1.exe File opened (read-only) \??\J: rook1.exe File opened (read-only) \??\K: rook1.exe File opened (read-only) \??\L: rook1.exe File opened (read-only) \??\V: rook1.exe File opened (read-only) \??\I: rook1.exe File opened (read-only) \??\A: rook1.exe File opened (read-only) \??\F: rook1.exe File opened (read-only) \??\G: rook1.exe File opened (read-only) \??\Z: rook1.exe File opened (read-only) \??\X: rook1.exe File opened (read-only) \??\M: rook1.exe File opened (read-only) \??\R: rook1.exe File opened (read-only) \??\Y: rook1.exe File opened (read-only) \??\U: rook1.exe File opened (read-only) \??\N: rook1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1740 vssadmin.exe 760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1628 rook1.exe 1628 rook1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 756 vssvc.exe Token: SeRestorePrivilege 756 vssvc.exe Token: SeAuditPrivilege 756 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1628 wrote to memory of 268 1628 rook1.exe 28 PID 1628 wrote to memory of 268 1628 rook1.exe 28 PID 1628 wrote to memory of 268 1628 rook1.exe 28 PID 268 wrote to memory of 760 268 cmd.exe 30 PID 268 wrote to memory of 760 268 cmd.exe 30 PID 268 wrote to memory of 760 268 cmd.exe 30 PID 1628 wrote to memory of 1848 1628 rook1.exe 34 PID 1628 wrote to memory of 1848 1628 rook1.exe 34 PID 1628 wrote to memory of 1848 1628 rook1.exe 34 PID 1848 wrote to memory of 1740 1848 cmd.exe 36 PID 1848 wrote to memory of 1740 1848 cmd.exe 36 PID 1848 wrote to memory of 1740 1848 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\rook1.exe"C:\Users\Admin\AppData\Local\Temp\rook1.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1740
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756