Overview

overview

10

Static

static

8

c2d46d256b...ac.exe

windows7_x64

10

c2d46d256b...ac.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14/01/2022, 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac.exe

  • Size

    405KB

  • MD5

    6d87be9212a1a0e92e58e1ed94c589f9

  • SHA1

    19ce538b2597da454abf835cff676c28b8eb66f7

  • SHA256

    c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac

  • SHA512

    278cc5f0215058c6c6943f9e432a335cb824bbb44437b9e28cb4a2ba710e0485aa1388e8a06257b0eaea7aceeb8dabe57663e62b83f0e517eb53a8d3ff7aec67

Score
10/10
rookransomware

Malware Config

Extracted

Path

C:\HowToRestoreYourFiles.txt

Family

rook

Ransom Note
-----------Welcome. Again. -------------------- [+]Whats Happen?[+] Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet. By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees?[+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money. If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services. You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files. Please use the company email to contact us, otherwise we will not reply. [+] How to get access on website?[+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site:https://torproject.org/ b) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 2) Our mail box: a)[email protected] b)[email protected] c)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox ------------------------------------------------------------------------------------------------ !!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!!!!!! AGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere. !!!!!!! ONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger. !!!!!!!

Signatures

  • Rook

    Rook is a ransomware which copies from NightSky ransomware.

    ransomwarerook
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac.exe
    "C:\Users\Admin\AppData\Local\Temp\c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac.exe"
    1⤵
    • Modifies extensions of user files
    • Deletes itself
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:468
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1848
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:908
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HowToRestoreYourFiles.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:308

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1756-54-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

    Filesize

    8KB

    Download