Overview

overview

10

Static

static

8

rook1.exe

windows7_x64

10

rook1.exe

windows10_x64

10

rook1.exe

macos_amd64

1

rook1.exe

linux_amd64

Resubmissions

11-01-2022 18:27

220111-w33m7agfg9 10

20-12-2021 20:51

211220-zm6xfsbge6 10

Analysis

  • max time kernel
    256s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rook1.exe

  • Size

    5.4MB

  • MD5

    4f7adc32ec67c1a55853ef828fe58707

  • SHA1

    36de7997949ac3b9b456023fb072b9a8cd84ade8

  • SHA256

    96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

  • SHA512

    a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74

Score
10/10
rookdiscoveryransomwarevmprotect

Malware Config

Extracted

Path

C:\PerfLogs\HowToRestoreYourFiles.txt

Family

rook

Ransom Note
-----------Welcome. Again. -------------------- [+]Whats Happen?[+] Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet. By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees?[+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money. If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services. You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files. Please use the company email to contact us, otherwise we will not reply. [+] How to get access on website?[+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site:https://torproject.org/ b) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 2) Our mail box: a)rook@onionmail.org b)securityRook@onionmail.org c)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox ------------------------------------------------------------------------------------------------ !!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!!!!!! AGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere. !!!!!!! ONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger. !!!!!!!
Emails

a)rook@onionmail.org

b)securityRook@onionmail.org

Signatures

  • Rook

    Rook is a ransomware which copies from NightSky ransomware.

    ransomwarerook
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rook1.exe
    "C:\Users\Admin\AppData\Local\Temp\rook1.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4080
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HowToRestoreYourFiles.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1372
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.0.362930531\1637752897" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1196 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1612 gpu
        3⤵
          PID:3228
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.3.1026824613\1963083986" -childID 1 -isForBrowser -prefsHandle 2172 -prefMapHandle 2112 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1344 tab
          3⤵
            PID:252
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.13.1115367397\557600314" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3464 tab
            3⤵
              PID:4044
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.20.1344329058\1002893433" -childID 3 -isForBrowser -prefsHandle 2784 -prefMapHandle 4472 -prefsLen 7784 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4284 tab
              3⤵
                PID:740
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:420
            • C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe
              "C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe"
              1⤵
                PID:2608
                • C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp" /SL5="$3023C,2973524,121344,C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe"
                  2⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:2988
                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\HxD\readme.txt
                    3⤵
                      PID:2056
                    • C:\Program Files\HxD\HxD.exe
                      "C:\Program Files\HxD\HxD.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:2536
                      • C:\Program Files\HxD\HxD.exe
                        "C:\Program Files\HxD\HxD.exe" /chooselang
                        4⤵
                        • Executes dropped EXE
                        PID:3200

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                File Deletion

                2
                T1107

                Credential Access

                Discovery

                Query Registry

                3
                T1012

                Peripheral Device Discovery

                1
                T1120

                System Information Discovery

                3
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Inhibit System Recovery

                2
                T1490

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\HxD\HxD.exe
                  MD5

                  14fca45f383b3de689d38f45c283f71f

                  SHA1

                  5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

                  SHA256

                  9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

                  SHA512

                  0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

                  Download Submit
                • C:\Program Files\HxD\HxD.exe
                  MD5

                  14fca45f383b3de689d38f45c283f71f

                  SHA1

                  5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

                  SHA256

                  9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

                  SHA512

                  0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

                  Download Submit
                • C:\Program Files\HxD\HxD.exe
                  MD5

                  14fca45f383b3de689d38f45c283f71f

                  SHA1

                  5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

                  SHA256

                  9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

                  SHA512

                  0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

                  Download Submit
                • C:\Program Files\HxD\readme.txt
                  MD5

                  0755d4e1fdf379c36369e96f6f6d8fa8

                  SHA1

                  f0d81e81e06fb10d2844acdad3a89e32ac624ec2

                  SHA256

                  ca4f74de91db68db75a685640957140c42d8d01659c20cf72eb771a0f7bcba2d

                  SHA512

                  56982440f67d2a04418e885cccdb9c1916a69ca58564d660fef8a8d88ed74c949b99ddff4da1bf6f654e6f3003488a5e2d3426cf64b055bdd51a423648334e3f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp
                  MD5

                  34acc2bdb45a9c436181426828c4cb49

                  SHA1

                  5adaa1ac822e6128b8d4b59a54d19901880452ae

                  SHA256

                  9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

                  SHA512

                  134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp
                  MD5

                  34acc2bdb45a9c436181426828c4cb49

                  SHA1

                  5adaa1ac822e6128b8d4b59a54d19901880452ae

                  SHA256

                  9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

                  SHA512

                  134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mael Horz\HxD Hex Editor\HxD Hex Editor.lang
                  MD5

                  392b810f865591aa5ec210e849ae769f

                  SHA1

                  f3fd0c8f2a347e168ef392e38c52f4134987a3a6

                  SHA256

                  78b33626b46709ebe04edd99ea813ed291183bebb025ea5e4783ca2260811943

                  SHA512

                  5d650d9045243ce2495a845683b3252419bc283fe9ecec85b56de0a179a5df77d8ddf8ccb41ff555043bf1e9a3c9a0a3e1efec17cc2d291b5236589a80df0f04

                  Download Submit
                • C:\Users\Public\Desktop\HowToRestoreYourFiles.txt
                  MD5

                  00f71cde522689585eaa9c62385afa22

                  SHA1

                  350e319806f7a71267a5e4a749eb190ead38dbb0

                  SHA256

                  b14ec2fcccac5059464e800edf56049c0277124abd60ee49c1f726861df925bf

                  SHA512

                  47442d335f16e259c4593370467c741ac2b41f329330afdd649b89b44c4233edd7d2af70883403993d6022c617235c20b89ae667ca4b3f82d678836adc34f4df

                  Download Submit
                • memory/352-122-0x0000000000000000-mapping.dmp
                  Download
                • memory/668-121-0x0000000000000000-mapping.dmp
                  Download
                • memory/2056-131-0x0000000000000000-mapping.dmp
                  Download
                • memory/2424-115-0x00007FF7DCE80000-0x00007FF7DD79D000-memory.dmp
                  Filesize

                  9.1MB

                  Download
                • memory/2424-119-0x00007FF9CAD10000-0x00007FF9CAD12000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2536-132-0x0000000000000000-mapping.dmp
                  Download
                • memory/2536-139-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2536-140-0x0000000002C40000-0x0000000002C41000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2608-128-0x0000000000400000-0x0000000000428000-memory.dmp
                  Filesize

                  160KB

                  Download
                • memory/2972-120-0x0000000000000000-mapping.dmp
                  Download
                • memory/2988-126-0x0000000000000000-mapping.dmp
                  Download
                • memory/2988-129-0x0000000000600000-0x000000000074A000-memory.dmp
                  Filesize

                  1.3MB

                  Download
                • memory/3200-135-0x0000000000000000-mapping.dmp
                  Download
                • memory/3548-118-0x0000000000000000-mapping.dmp
                  Download