Overview

overview

10

Static

static

10

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Resubmissions

09-03-2023 23:07

230309-23yxwsaf76 10

15-11-2022 10:46

221115-mvfzsahc5t 9

Analysis

  • max time kernel
    62s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2023 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    2.9MB

  • MD5

    01492156ce8b4034c5b1027130f4cf4e

  • SHA1

    6b0deb67a178fe20e81691133b257df3bafa3006

  • SHA256

    2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

  • SHA512

    a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4

  • SSDEEP

    49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc

Score
10/10
royalransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

royal

Ransom Note
Hello! If you are reading this, it means that your system were hit by Royal ransomware. Please contact us via : http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578 In the meantime, let us explain this case.It may seem complicated, but it is not! Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server. From there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government(different names for the same thing), and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more! Fortunately we got you covered! Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems. To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!
URLs

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578

Signatures

  • Royal

    Royal is a ransomware first seen in 2022.

    ransomwareroyal
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    C:\Users\Admin\AppData\Local\Temp\sample.exe -path C:\ -id 12345678123456781234567812346578
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\vssadmin.exe
      delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:4616
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\README.TXT
    Filesize

    1KB

    MD5

    54b77c18abf54999d39bd42ff62eee1a

    SHA1

    82623dc9b00051f11eeee19749c963a7413a84e7

    SHA256

    058d36320a6795759849643c65431a5206815dcf38f05df024b020d95820a66a

    SHA512

    d15dbddb590ca1a928d0851176a064c4aba05058dbad9408b4bd846270c467345b25866805ca0a5b186812f851c4aad8368e8836f8d6f767e19abe24072198c6

    Download Submit