royal | 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

General

Target

sample.exe
Size

2.9MB
MD5

01492156ce8b4034c5b1027130f4cf4e
SHA1

6b0deb67a178fe20e81691133b257df3bafa3006
SHA256

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
SHA512

a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc

Score

10^/10

royal ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

royal

Ransom Note

Hello! If you are reading this, it means that your system were hit by Royal ransomware. Please contact us via : http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578 In the meantime, let us explain this case.It may seem complicated, but it is not! Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server. From there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government(different names for the same thing), and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more! Fortunately we got you covered! Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems. To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!

URLs

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578

Signatures

Royal
Royal is a ransomware first seen in 2022.
ransomware royal
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PublishExit.crw => C:\Users\Admin\Pictures\PublishExit.crw.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\JoinShow.crw => C:\Users\Admin\Pictures\JoinShow.crw.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\SkipOut.tif => C:\Users\Admin\Pictures\SkipOut.tif.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\RestartSubmit.tiff => C:\Users\Admin\Pictures\RestartSubmit.tiff.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\CheckpointShow.tiff => C:\Users\Admin\Pictures\CheckpointShow.tiff.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\ExitStart.tif => C:\Users\Admin\Pictures\ExitStart.tif.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\FormatRevoke.raw => C:\Users\Admin\Pictures\FormatRevoke.raw.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\InitializeClear.crw => C:\Users\Admin\Pictures\InitializeClear.crw.royal	sample.exe
File opened for modification	C:\Users\Admin\Pictures\RestartSubmit.tiff	sample.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointShow.tiff	sample.exe

Drops desktop.ini file(s) 31 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Users\Public\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\README.TXT	sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\README.TXT	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152722.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF	sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.DPV	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285808.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\README.TXT	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF	sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\README.TXT	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\README.TXT	sample.exe
File created	C:\Program Files\Java\jre7\lib\security\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC	sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\README.TXT	sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.DPV	sample.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

840 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1348 NOTEPAD.EXE

pid	process
840	vssadmin.exe

pid	process
1348	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample.exe

pid	process
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe
1304	sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 932 vssvc.exe
Token: SeRestorePrivilege 932 vssvc.exe
Token: SeAuditPrivilege 932 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	932	vssvc.exe
Token: SeRestorePrivilege	932	vssvc.exe
Token: SeAuditPrivilege	932	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1304 wrote to memory of 840	1304	sample.exe	vssadmin.exe
PID 1304 wrote to memory of 840	1304	sample.exe	vssadmin.exe
PID 1304 wrote to memory of 840	1304	sample.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
C:\Users\Admin\AppData\Local\Temp\sample.exe -path C:\ -id 12345678123456781234567812346578
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\README.TXT

Filesize
1KB

MD5
54b77c18abf54999d39bd42ff62eee1a

SHA1
82623dc9b00051f11eeee19749c963a7413a84e7

SHA256
058d36320a6795759849643c65431a5206815dcf38f05df024b020d95820a66a

SHA512
d15dbddb590ca1a928d0851176a064c4aba05058dbad9408b4bd846270c467345b25866805ca0a5b186812f851c4aad8368e8836f8d6f767e19abe24072198c6

Download Submit
C:\Users\Admin\Desktop\README.TXT

Filesize
1KB

MD5
54b77c18abf54999d39bd42ff62eee1a

SHA1
82623dc9b00051f11eeee19749c963a7413a84e7

SHA256
058d36320a6795759849643c65431a5206815dcf38f05df024b020d95820a66a

SHA512
d15dbddb590ca1a928d0851176a064c4aba05058dbad9408b4bd846270c467345b25866805ca0a5b186812f851c4aad8368e8836f8d6f767e19abe24072198c6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads