Overview

overview

10

Static

static

3

a9238bb7a0...9e.exe

windows7-x64

10

a9238bb7a0...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e

  • Size

    126KB

  • Sample

    240528-flmyeagd72

  • MD5

    84134031ba193cf5cc6da995ce298cd2

  • SHA1

    e955ce1fa9b31084c822cc641f49a28859b82371

  • SHA256

    a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e

  • SHA512

    cab52649cb176c160efccb21b8a3c3f16311ba30e25c86e1c6878a84fe4a60c9d1073f2df673c05823145fb27fb0879703bd8c8daaeac13ff310e39d3c5f3c6f

  • SSDEEP

    3072:BNEp/EAS/mhYugM7vewJ8oJno9Xxh+tuk0oFaWJxT6XyzJ53Lnhdgddz5:nEpBduutSwJ8oJn8X+turkJ/6Xy57hS1

Score
10/10
rookransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log

Family

rook

Ransom Note
Hello! We warned you, but you even didn't replied Forced shutdown of devices can lead to the loss of all data. Do not forcibly disconnect storage volumes from hosts, don't interrupt process. Damaged information cannot be recovered. All data is properly protected against unauthorized access by steady encryption technology. We have downloaded essential data of company: - Huge amount of files, including: HR,Financial,Accounting,... - Large amounts of personal records of your employees and residents. - about 1TB (!!!) of data! In case if you refuse to cooperate with us, all essential data will be sold or published at dark marketplace. Full details and proofs will be provided in case of contacting us by following emails. [email protected] [email protected] It's just a business. We can help you to quickly recover all your files. We will explain what kind of vulnerability was used to hack your network. If you will not cooperate with us, you will never know how your network was compromised. We guarantee this will happen again. We can decrypt 2 small files (up to 1MB) for free. Send files by email. Register new email account at secure mail service like mailfence, protonmail to be sure that outgoing email not blocked by spam filter. Don't use gmail! WARNING! Don't report to police. They will suspend financial activity of company and negotiation process. �

Targets

    • Target

      a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e

    • Size

      126KB

    • MD5

      84134031ba193cf5cc6da995ce298cd2

    • SHA1

      e955ce1fa9b31084c822cc641f49a28859b82371

    • SHA256

      a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e

    • SHA512

      cab52649cb176c160efccb21b8a3c3f16311ba30e25c86e1c6878a84fe4a60c9d1073f2df673c05823145fb27fb0879703bd8c8daaeac13ff310e39d3c5f3c6f

    • SSDEEP

      3072:BNEp/EAS/mhYugM7vewJ8oJno9Xxh+tuk0oFaWJxT6XyzJ53Lnhdgddz5:nEpBduutSwJ8oJn8X+turkJ/6Xy57hS1

    Score
    10/10
    rookransomware

    • Rook

      Rook is a ransomware which copies from NightSky ransomware.

      ransomwarerook

    • Renames multiple (7076) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks