Overview

overview

10

Static

static

8

rook1.exe

windows7_x64

10

rook1.exe

windows10_x64

10

rook1.exe

macos_amd64

1

rook1.exe

linux_amd64

Resubmissions

11-01-2022 18:27

220111-w33m7agfg9 10

20-12-2021 20:51

211220-zm6xfsbge6 10

Analysis

  • max time kernel
    256s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rook1.exe

  • Size

    5.4MB

  • MD5

    4f7adc32ec67c1a55853ef828fe58707

  • SHA1

    36de7997949ac3b9b456023fb072b9a8cd84ade8

  • SHA256

    96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

  • SHA512

    a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74

Score
10/10
rookdiscoveryransomwarevmprotect

Malware Config

Extracted

Path

C:\PerfLogs\HowToRestoreYourFiles.txt

Family

rook

Ransom Note
-----------Welcome. Again. -------------------- [+]Whats Happen?[+] Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet. By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees?[+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money. If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services. You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files. Please use the company email to contact us, otherwise we will not reply. [+] How to get access on website?[+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site:https://torproject.org/ b) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 2) Our mail box: a)[email protected] b)[email protected] c)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox ------------------------------------------------------------------------------------------------ !!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!!!!!! AGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere. !!!!!!! ONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger. !!!!!!!

Signatures

  • Rook

    Rook is a ransomware which copies from NightSky ransomware.

    ransomwarerook
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rook1.exe
    "C:\Users\Admin\AppData\Local\Temp\rook1.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4080
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HowToRestoreYourFiles.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1372
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.0.362930531\1637752897" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1196 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1612 gpu
        3⤵
          PID:3228
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.3.1026824613\1963083986" -childID 1 -isForBrowser -prefsHandle 2172 -prefMapHandle 2112 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1344 tab
          3⤵
            PID:252
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.13.1115367397\557600314" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3464 tab
            3⤵
              PID:4044
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.20.1344329058\1002893433" -childID 3 -isForBrowser -prefsHandle 2784 -prefMapHandle 4472 -prefsLen 7784 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4284 tab
              3⤵
                PID:740
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:420
            • C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe
              "C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe"
              1⤵
                PID:2608
                • C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-HDKK1.tmp\HxDSetup.tmp" /SL5="$3023C,2973524,121344,C:\Users\Admin\AppData\Local\Temp\Temp1_HxDSetup.zip\HxDSetup.exe"
                  2⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:2988
                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\HxD\readme.txt
                    3⤵
                      PID:2056
                    • C:\Program Files\HxD\HxD.exe
                      "C:\Program Files\HxD\HxD.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:2536
                      • C:\Program Files\HxD\HxD.exe
                        "C:\Program Files\HxD\HxD.exe" /chooselang
                        4⤵
                        • Executes dropped EXE
                        PID:3200

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2424-115-0x00007FF7DCE80000-0x00007FF7DD79D000-memory.dmp

                  Filesize

                  9.1MB

                  Download

                • memory/2424-119-0x00007FF9CAD10000-0x00007FF9CAD12000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2536-139-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2536-140-0x0000000002C40000-0x0000000002C41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2608-128-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2988-129-0x0000000000600000-0x000000000074A000-memory.dmp

                  Filesize

                  1.3MB

                  Download