Overview

overview

10

Static

static

8

Rook_f87be...89.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    18-03-2022 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rook_f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe

  • Size

    170KB

  • MD5

    bec9b3480934ce3d30c25e1272f60d02

  • SHA1

    104d9e31e34ba8517f701552594f1fc167550964

  • SHA256

    f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789

  • SHA512

    99ebdaf100af272678b92cdb0743cdb6a1b4a8ecc83a1fb3127dfc53bf609a655715bf9ee3a4a7dbee7ae21cb5ff98283772d9bf5641e394b7e3c21a1010cdbc

Score
10/10
rookransomware

Malware Config

Extracted

Path

C:\HowToRestoreYourFiles.txt

Family

rook

Ransom Note
-----------Welcome. Again. -------------------- [+]Whats Happen?[+] Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet. By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees?[+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money. If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services. You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files. Please use the company email to contact us, otherwise we will not reply. [+] How to get access on website?[+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site:https://torproject.org/ b) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 2) Our mail box: a)[email protected] b)[email protected] c)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox ------------------------------------------------------------------------------------------------ !!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!!!!!! AGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere. !!!!!!! ONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger. !!!!!!!

Signatures

  • Rook

    Rook is a ransomware which copies from NightSky ransomware.

    ransomwarerook
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 22 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rook_f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe
    "C:\Users\Admin\AppData\Local\Temp\Rook_f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Deletes itself
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3132
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1260
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:484
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:3356
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HowToRestoreYourFiles.txt
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2856
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HowToRestoreYourFiles.txt
    MD5

    00f71cde522689585eaa9c62385afa22

    SHA1

    350e319806f7a71267a5e4a749eb190ead38dbb0

    SHA256

    b14ec2fcccac5059464e800edf56049c0277124abd60ee49c1f726861df925bf

    SHA512

    47442d335f16e259c4593370467c741ac2b41f329330afdd649b89b44c4233edd7d2af70883403993d6022c617235c20b89ae667ca4b3f82d678836adc34f4df

    Download Submit
  • C:\Users\Admin\Desktop\UnprotectOpen.avi.Rook
    MD5

    d74ec27d01fa0906eaf948a68f9d8a7c

    SHA1

    408c8e55248f86b11920426b9d0889c4e6cbc7cb

    SHA256

    09158d2389dfe3df5ae64de68089364595b614fd3fafdcd0c0f9cc370777bc6b

    SHA512

    d24ddaa0f21492cdb0e5b7f2be4346ecf2c0cdbdabdf65fdcacbf5529389466a1409713231a2f3de0b3a20f549add7b6ecba4412d5695b73c267c168f121544d

    Download Submit
  • memory/3356-130-0x000001E93E260000-0x000001E93E270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3356-131-0x000001E93E2C0000-0x000001E93E2D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3356-132-0x000001E940870000-0x000001E940874000-memory.dmp
    Filesize

    16KB

    Download