General
-
Target
SIR6207.7z
-
Size
4.9MB
-
Sample
230419-1c6dlsfd9t
-
MD5
456992e7240468608d46742bd28be123
-
SHA1
cbbdae16d887fecb7d984b3c3a370f76f423e874
-
SHA256
4ed812a7bbb4b1d5fa0044bb17f8cf5ddfd526fd5216b7658f88ebaad2751e19
-
SHA512
7c2c1ebd75f5eb4ad44f03fbdd08895a447f95ea68f08f047e3bf14a4293e680c7d6fb25eb82744176e094829efa695ff4cad461778d70db35affe6951f7c9df
-
SSDEEP
98304:m3+7Her8Smlyi8zhSrgrpuNmCE1BwJQgXHip1cNcYYxNwmK15:nOBmlyiZPwCE4JQg3m1cNexi15
Behavioral task
behavioral1
Sample
rook.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
rook.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
C:\PerfLogs\HowToRestoreYourFiles.txt
rook
Targets
-
-
Target
rook.exe
-
Size
5.4MB
-
MD5
4f7adc32ec67c1a55853ef828fe58707
-
SHA1
36de7997949ac3b9b456023fb072b9a8cd84ade8
-
SHA256
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b
-
SHA512
a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74
-
SSDEEP
98304:HMIyl5cyXqgUVcIIsuwHW2doNtUIXmUIHWnS3f1sISlIf9FxefJMb:pyzcyrUVxhB2hXk2nStsHl4VyJ
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-