rook | a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e

General

Target

a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
Size

126KB
MD5

84134031ba193cf5cc6da995ce298cd2
SHA1

e955ce1fa9b31084c822cc641f49a28859b82371
SHA256

a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e
SHA512

cab52649cb176c160efccb21b8a3c3f16311ba30e25c86e1c6878a84fe4a60c9d1073f2df673c05823145fb27fb0879703bd8c8daaeac13ff310e39d3c5f3c6f
SSDEEP

3072:BNEp/EAS/mhYugM7vewJ8oJno9Xxh+tuk0oFaWJxT6XyzJ53Lnhdgddz5:nEpBduutSwJ8oJn8X+turkJ/6Xy57hS1

Score

10^/10

rook ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log

Family

rook

Ransom Note

Hello! We warned you, but you even didn't replied Forced shutdown of devices can lead to the loss of all data. Do not forcibly disconnect storage volumes from hosts, don't interrupt process. Damaged information cannot be recovered. All data is properly protected against unauthorized access by steady encryption technology. We have downloaded essential data of company: - Huge amount of files, including: HR,Financial,Accounting,... - Large amounts of personal records of your employees and residents. - about 1TB (!!!) of data! In case if you refuse to cooperate with us, all essential data will be sold or published at dark marketplace. Full details and proofs will be provided in case of contacting us by following emails. [email protected] [email protected] It's just a business. We can help you to quickly recover all your files. We will explain what kind of vulnerability was used to hack your network. If you will not cooperate with us, you will never know how your network was compromised. We guarantee this will happen again. We can decrypt 2 small files (up to 1MB) for free. Send files by email. Register new email account at secure mail service like mailfence, protonmail to be sure that outgoing email not blocked by spam filter. Don't use gmail! WARNING! Don't report to police. They will suspend financial activity of company and negotiation process. �

Emails

[email protected]

Signatures

Rook
Rook is a ransomware which copies from NightSky ransomware.
ransomware rook
Renames multiple (7076) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01839_.GIF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\!nissenvelten!HOW_TO_RESTORE.log	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.nissenvelten-sjj3hhut	a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe

C:\Users\Admin\AppData\Local\Temp\a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe
"C:\Users\Admin\AppData\Local\Temp\a9238bb7a0c565768ab6478114704dce98c161e82d9f8b59b5989f7a5d1d189e.exe"
1⤵
- Drops file in Program Files directory
PID:2072

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log
Filesize
1KB

MD5
1ac13e1c2b35dfaf377ceb55e61e5309

SHA1
e53185eee04a0578483054e507d639be2635b4d7

SHA256
72e9a50a52585a25c5529b846cf586946694e46a912a97b526e4a7067ab1d7e6

SHA512
fa702569f13d82d24e78cba21397f0d53281c0a93db7a484bb974f4cb965da23dd4691c7061de6bfd54e40d5d32faa2e8b8af52968191b91f9164f5c7d459fa6

Download Submit
memory/2072-1-0x0000000000B40000-0x0000000000B92000-memory.dmp

Filesize
328KB

Download
memory/2072-0-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download
memory/2072-4251-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing