Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Rook Ransomware
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)