royal | f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

Resubmissions

09/03/2023, 23:09

230309-244jrsaf79 10

09/03/2023, 23:06

230309-23pdfscd4v 10

12/10/2022, 19:46

221012-ygzqhsaabj 9

Analysis

max time kernel
77s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avi.exe
Size

2.9MB
MD5

df0b88dafe7a65295f99e69a67db9e1b
SHA1

db3163a09eb33ff4370ad162a05f4b2584a20456
SHA256

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
SHA512

2206969d222882dd8b7e3e5671311462266277d699e08e3016a7b3781b17390e8dd11956d8aaecae996a2c16227d7b2390eb84b9b8df26e39ffe8f38d5b76fbd
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzkw5c:wm+GaNqqJJ12vlZol8cJ7rc3

Score

10^/10

royal ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

royal

Ransom Note

Hello! If you are reading this, it means that your system were hit by Royal ransomware. Please contact us via : http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578 In the meantime, let us explain this case.It may seem complicated, but it is not! Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server. From there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government(different names for the same thing), and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more! Fortunately we got you covered! Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems. To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!

URLs

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578

Signatures

Royal
Royal is a ransomware first seen in 2022.
ransomware royal
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExportBlock.png => C:\Users\Admin\Pictures\ExportBlock.png.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\PopMerge.png => C:\Users\Admin\Pictures\PopMerge.png.royal	avi.exe
File opened for modification	C:\Users\Admin\Pictures\RestartSave.tiff	avi.exe
File renamed	C:\Users\Admin\Pictures\ShowOpen.png => C:\Users\Admin\Pictures\ShowOpen.png.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\StartLock.png => C:\Users\Admin\Pictures\StartLock.png.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\UnlockBlock.raw => C:\Users\Admin\Pictures\UnlockBlock.raw.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\ExitSplit.raw => C:\Users\Admin\Pictures\ExitSplit.raw.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\RestartSave.tiff => C:\Users\Admin\Pictures\RestartSave.tiff.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\UndoOpen.png => C:\Users\Admin\Pictures\UndoOpen.png.royal	avi.exe

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\292MJLCQ\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4P132BG8\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C7KQ9NAK\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	avi.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	avi.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	avi.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	avi.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T0FM3QNF\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	avi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg	avi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js	avi.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	avi.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css	avi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	avi.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200151.WMF	avi.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	avi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Module.eftx	avi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png	avi.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15168_.GIF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	avi.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.DPV	avi.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF	avi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.GIF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_increaseindent.gif	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04235_.WMF	avi.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif	avi.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00416_.WMF	avi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	avi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	avi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF	avi.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1408	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe
632	avi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	472	vssvc.exe
Token: SeRestorePrivilege	472	vssvc.exe
Token: SeAuditPrivilege	472	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1408	632	avi.exe	27
PID 632 wrote to memory of 1408	632	avi.exe	27
PID 632 wrote to memory of 1408	632	avi.exe	27

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\avi.exe
C:\Users\Admin\AppData\Local\Temp\avi.exe -path C:\ -id 12345678123456781234567812346578
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\README.TXT

Filesize
1KB

MD5
54b77c18abf54999d39bd42ff62eee1a

SHA1
82623dc9b00051f11eeee19749c963a7413a84e7

SHA256
058d36320a6795759849643c65431a5206815dcf38f05df024b020d95820a66a

SHA512
d15dbddb590ca1a928d0851176a064c4aba05058dbad9408b4bd846270c467345b25866805ca0a5b186812f851c4aad8368e8836f8d6f767e19abe24072198c6

Download Submit