Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2023 21:53
Behavioral task
behavioral1
Sample
rook.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
rook.exe
Resource
win10v2004-20230220-en
General
-
Target
rook.exe
-
Size
5.4MB
-
MD5
4f7adc32ec67c1a55853ef828fe58707
-
SHA1
36de7997949ac3b9b456023fb072b9a8cd84ade8
-
SHA256
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b
-
SHA512
a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74
-
SSDEEP
98304:HMIyl5cyXqgUVcIIsuwHW2doNtUIXmUIHWnS3f1sISlIf9FxefJMb:pyzcyrUVxhB2hXk2nStsHl4VyJ
Malware Config
Extracted
C:\Recovery\HowToRestoreYourFiles.txt
rook
Signatures
-
Rook
Rook is a ransomware which copies from NightSky ransomware.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rook.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ClearUnlock.png.Rook rook.exe File renamed C:\Users\Admin\Pictures\SyncRestore.raw => C:\Users\Admin\Pictures\SyncRestore.raw.Rook rook.exe File renamed C:\Users\Admin\Pictures\UnblockGrant.tif => C:\Users\Admin\Pictures\UnblockGrant.tif.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\UnblockGrant.tif.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\StartProtect.png.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\AssertSubmit.tif.Rook rook.exe File renamed C:\Users\Admin\Pictures\ClearUnlock.png => C:\Users\Admin\Pictures\ClearUnlock.png.Rook rook.exe File renamed C:\Users\Admin\Pictures\ConvertDisconnect.raw => C:\Users\Admin\Pictures\ConvertDisconnect.raw.Rook rook.exe File renamed C:\Users\Admin\Pictures\NewClear.crw => C:\Users\Admin\Pictures\NewClear.crw.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\NewClear.crw.Rook rook.exe File renamed C:\Users\Admin\Pictures\RegisterFormat.raw => C:\Users\Admin\Pictures\RegisterFormat.raw.Rook rook.exe File renamed C:\Users\Admin\Pictures\RemoveFormat.raw => C:\Users\Admin\Pictures\RemoveFormat.raw.Rook rook.exe File renamed C:\Users\Admin\Pictures\TestExit.tiff => C:\Users\Admin\Pictures\TestExit.tiff.Rook rook.exe File renamed C:\Users\Admin\Pictures\AssertSubmit.tif => C:\Users\Admin\Pictures\AssertSubmit.tif.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\TestExit.tiff.Rook rook.exe File renamed C:\Users\Admin\Pictures\StartProtect.png => C:\Users\Admin\Pictures\StartProtect.png.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\SyncRestore.raw.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\TestExit.tiff rook.exe File opened for modification C:\Users\Admin\Pictures\RegisterFormat.raw.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\RemoveFormat.raw.Rook rook.exe File opened for modification C:\Users\Admin\Pictures\ConvertDisconnect.raw.Rook rook.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rook.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation rook.exe -
Processes:
resource yara_rule behavioral2/memory/4884-134-0x00007FF6462C0000-0x00007FF646BDD000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rook.exedescription ioc process File opened (read-only) \??\Z: rook.exe File opened (read-only) \??\X: rook.exe File opened (read-only) \??\Q: rook.exe File opened (read-only) \??\R: rook.exe File opened (read-only) \??\P: rook.exe File opened (read-only) \??\J: rook.exe File opened (read-only) \??\K: rook.exe File opened (read-only) \??\E: rook.exe File opened (read-only) \??\S: rook.exe File opened (read-only) \??\H: rook.exe File opened (read-only) \??\L: rook.exe File opened (read-only) \??\V: rook.exe File opened (read-only) \??\B: rook.exe File opened (read-only) \??\T: rook.exe File opened (read-only) \??\Y: rook.exe File opened (read-only) \??\U: rook.exe File opened (read-only) \??\I: rook.exe File opened (read-only) \??\G: rook.exe File opened (read-only) \??\N: rook.exe File opened (read-only) \??\W: rook.exe File opened (read-only) \??\O: rook.exe File opened (read-only) \??\A: rook.exe File opened (read-only) \??\F: rook.exe File opened (read-only) \??\M: rook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3532 vssadmin.exe 4288 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rook.exepid process 4884 rook.exe 4884 rook.exe 4884 rook.exe 4884 rook.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4664 vssvc.exe Token: SeRestorePrivilege 4664 vssvc.exe Token: SeAuditPrivilege 4664 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rook.execmd.execmd.exedescription pid process target process PID 4884 wrote to memory of 3064 4884 rook.exe cmd.exe PID 4884 wrote to memory of 3064 4884 rook.exe cmd.exe PID 3064 wrote to memory of 3532 3064 cmd.exe vssadmin.exe PID 3064 wrote to memory of 3532 3064 cmd.exe vssadmin.exe PID 4884 wrote to memory of 1724 4884 rook.exe cmd.exe PID 4884 wrote to memory of 1724 4884 rook.exe cmd.exe PID 1724 wrote to memory of 4288 1724 cmd.exe vssadmin.exe PID 1724 wrote to memory of 4288 1724 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rook.exe"C:\Users\Admin\AppData\Local\Temp\rook.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4288
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD500f71cde522689585eaa9c62385afa22
SHA1350e319806f7a71267a5e4a749eb190ead38dbb0
SHA256b14ec2fcccac5059464e800edf56049c0277124abd60ee49c1f726861df925bf
SHA51247442d335f16e259c4593370467c741ac2b41f329330afdd649b89b44c4233edd7d2af70883403993d6022c617235c20b89ae667ca4b3f82d678836adc34f4df