Edit tour
Windows
Analysis Report
ZunmmW7pe5.exe
Overview
General Information
| Sample Name: | ZunmmW7pe5.exe |
| Analysis ID: | 626600 |
| MD5: | 6d87be9212a1a0e92e58e1ed94c589f9 |
| SHA1: | 19ce538b2597da454abf835cff676c28b8eb66f7 |
| SHA256: | c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac |
| Infos: |  |
 | |
Detection
Rook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Rook Ransomware
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Classification
- System is start
ZunmmW7pe5.exe (PID: 8072 cmdline: "C:\Users\ user\Deskt op\ZunmmW7 pe5.exe" MD5: 6D87BE9212A1A0E92E58E1ED94C589F9) 
conhost.exe (PID: 8036 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - cmd.exe (PID: 7756 cmdline:
"C:\Window s\System32 \cmd.exe" /c vssadmi n.exe dele te shadows /all /qui et MD5: 9D59442313565C2E0860B88BF32B2277) - conhost.exe (PID: 7980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - vssadmin.exe (PID: 8152 cmdline:
vssadmin.e xe delete shadows /a ll /quiet MD5: 02A10DBF904883B1F8EE9F3CC70F5EB8)
- cleanup
{"Ransom Note": "-----------Welcome. Again. --------------------\r\n[+]Whats Happen?[+]\r\n\r\nYour files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet.\r\n\r\nBy the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees?[+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\n\r\nTo check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring.\r\n\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\nIf we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services.\r\n\r\nYou have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files.\r\n\r\nPlease use the company email to contact us, otherwise we will not reply.\r\n\r\n[+] How to get access on website?[+] \r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n\ta) Download and install TOR browser from this site:https://torproject.org/\n\tb) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion\r\n\r\n2) Our mail box:\r\n\ta)rook@onionmail.org\r\n\tb)securityRook@onionmail.org\r\n\tc)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox\r\n------------------------------------------------------------------------------------------------\r\n!!!DANGER!!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!!!!!!\r\n\r\nAGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere.\r\n!!!!!!!\r\n\r\nONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger.\r\n\r\n!!!!!!!\r\n"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_Babuk | Detects Babuk ransomware | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Rook | Yara detected Rook Ransomware | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_Babuk | Detects Babuk ransomware | ditekSHen |
| |
| MALWARE_Win_Babuk | Detects Babuk ransomware | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||