rook | 1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
Size

501KB
MD5

bf55c921b638ddf41a5120c90fe5f211
SHA1

6a96dd8be36381d71eb7dac5f7a053064b546487
SHA256

1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51
SHA512

a3d91c51eb3bd59792f6cca32def989b4d069e489dcb74263f5f629fe300f4074b1a7d8a7a64410d7efc992e1d332108147aa0b2611e0777358749d7adfac166
SSDEEP

12288:bGlEhiu/o/eXUG8nfBG5K92Qg+fgFfwjUKWXNDtn0lF620D4JNuq6JFcP:bGei/mUNaK9259wjU3dt0lF6264JArJs

Score

10^/10

rook ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log

Family

rook

Ransom Note

Hello! We warned you, but you even didn't replied Forced shutdown of devices can lead to the loss of all data. Do not forcibly disconnect storage volumes from hosts, don't interrupt process. Damaged information cannot be recovered. All data is properly protected against unauthorized access by steady encryption technology. We have downloaded essential data of company: - Huge amount of files, including: HR,Financial,Accounting,... - Large amounts of personal records of your employees and residents. - about 1TB (!!!) of data! In case if you refuse to cooperate with us, all essential data will be sold or published at dark marketplace. Full details and proofs will be provided in case of contacting us by following emails. [email protected] [email protected] It's just a business. We can help you to quickly recover all your files. We will explain what kind of vulnerability was used to hack your network. If you will not cooperate with us, you will never know how your network was compromised. We guarantee this will happen again. We can decrypt 2 small files (up to 1MB) for free. Send files by email. Register new email account at secure mail service like mailfence, protonmail to be sure that outgoing email not blocked by spam filter. Don't use gmail! WARNING! Don't report to police. They will suspend financial activity of company and negotiation process. �

Emails

[email protected]

Signatures

Rook
Rook is a ransomware which copies from NightSky ransomware.
ransomware rook
Renames multiple (7075) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\!nissenvelten!HOW_TO_RESTORE.log	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANE.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21294_.GIF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293570.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.DPV.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA.nissenvelten-sjj3hhut	1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe

C:\Users\Admin\AppData\Local\Temp\1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe
"C:\Users\Admin\AppData\Local\Temp\1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51.exe"
1⤵
- Drops file in Program Files directory
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log

Filesize
1KB

MD5
1ac13e1c2b35dfaf377ceb55e61e5309

SHA1
e53185eee04a0578483054e507d639be2635b4d7

SHA256
72e9a50a52585a25c5529b846cf586946694e46a912a97b526e4a7067ab1d7e6

SHA512
fa702569f13d82d24e78cba21397f0d53281c0a93db7a484bb974f4cb965da23dd4691c7061de6bfd54e40d5d32faa2e8b8af52968191b91f9164f5c7d459fa6

Download Submit
memory/2216-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-4-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/2216-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-7-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2216-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-5-0x0000000000401000-0x000000000043C000-memory.dmp

Filesize
236KB

Download
memory/2216-5685-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-8575-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2216-8577-0x0000000000401000-0x000000000043C000-memory.dmp

Filesize
236KB

Download
memory/2216-8576-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download