Analysis
-
max time kernel
4294179s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
Resource
win10v2004-en-20220113
General
-
Target
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
-
Size
170KB
-
MD5
bec9b3480934ce3d30c25e1272f60d02
-
SHA1
104d9e31e34ba8517f701552594f1fc167550964
-
SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
-
SHA512
99ebdaf100af272678b92cdb0743cdb6a1b4a8ecc83a1fb3127dfc53bf609a655715bf9ee3a4a7dbee7ae21cb5ff98283772d9bf5641e394b7e3c21a1010cdbc
Malware Config
Extracted
C:\HowToRestoreYourFiles.txt
rook
Signatures
-
Rook
Rook is a ransomware which copies from NightSky ransomware.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exedescription ioc Process File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\InvokeGrant.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\InitializeMount.crw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened for modification C:\Users\Admin\Pictures\ExitRestore.png.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.Rook f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Deletes itself 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid Process 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exedescription ioc Process File opened (read-only) \??\G: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\H: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\B: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\N: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Q: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\A: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\S: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\P: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\F: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\X: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\V: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\M: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\E: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\R: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\U: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\W: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\J: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\K: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\O: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\L: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Z: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\T: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\Y: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe File opened (read-only) \??\I: f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 536 vssadmin.exe 988 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid Process 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exepid Process 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.execmd.execmd.exedescription pid Process procid_target PID 1972 wrote to memory of 1564 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 28 PID 1972 wrote to memory of 1564 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 28 PID 1972 wrote to memory of 1564 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 28 PID 1564 wrote to memory of 536 1564 cmd.exe 30 PID 1564 wrote to memory of 536 1564 cmd.exe 30 PID 1564 wrote to memory of 536 1564 cmd.exe 30 PID 1972 wrote to memory of 972 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 34 PID 1972 wrote to memory of 972 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 34 PID 1972 wrote to memory of 972 1972 f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe 34 PID 972 wrote to memory of 988 972 cmd.exe 36 PID 972 wrote to memory of 988 972 cmd.exe 36 PID 972 wrote to memory of 988 972 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe"C:\Users\Admin\AppData\Local\Temp\f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:988
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008