royal | f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

Resubmissions

09-03-2023 23:09

230309-244jrsaf79 10

09-03-2023 23:06

230309-23pdfscd4v 10

12-10-2022 19:46

221012-ygzqhsaabj 9

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avi.exe
Size

2.9MB
MD5

df0b88dafe7a65295f99e69a67db9e1b
SHA1

db3163a09eb33ff4370ad162a05f4b2584a20456
SHA256

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
SHA512

2206969d222882dd8b7e3e5671311462266277d699e08e3016a7b3781b17390e8dd11956d8aaecae996a2c16227d7b2390eb84b9b8df26e39ffe8f38d5b76fbd
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzkw5c:wm+GaNqqJJ12vlZol8cJ7rc3

Score

10^/10

royal ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

royal

Ransom Note

Hello! If you are reading this, it means that your system were hit by Royal ransomware. Please contact us via : http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578 In the meantime, let us explain this case.It may seem complicated, but it is not! Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server. From there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government(different names for the same thing), and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more! Fortunately we got you covered! Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems. To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!

URLs

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578

Signatures

Royal
Royal is a ransomware first seen in 2022.
ransomware royal
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertConnect.png => C:\Users\Admin\Pictures\ConvertConnect.png.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\CompareUpdate.png => C:\Users\Admin\Pictures\CompareUpdate.png.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\DisconnectApprove.tiff => C:\Users\Admin\Pictures\DisconnectApprove.tiff.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\GroupTest.crw => C:\Users\Admin\Pictures\GroupTest.crw.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\ReceiveCheckpoint.raw => C:\Users\Admin\Pictures\ReceiveCheckpoint.raw.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\SearchAdd.tif => C:\Users\Admin\Pictures\SearchAdd.tif.royal	avi.exe
File renamed	C:\Users\Admin\Pictures\BlockWait.raw => C:\Users\Admin\Pictures\BlockWait.raw.royal	avi.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectApprove.tiff	avi.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README.TXT	avi.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	avi.exe
File opened for modification	C:\Program Files\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	avi.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	avi.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	avi.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	avi.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	avi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\README.TXT	avi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	avi.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\README.TXT	avi.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\README.TXT	avi.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms	avi.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\README.TXT	avi.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\README.TXT	avi.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\preloaded_data.pb	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms	avi.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\README.TXT	avi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\README.TXT	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms	avi.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\README.TXT	avi.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\README.TXT	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	avi.exe
File created	C:\Program Files (x86)\Common Files\Java\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms	avi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	avi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	avi.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\README.TXT	avi.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\README.TXT	avi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	avi.exe
File created	C:\Program Files\Microsoft Office\root\vfs\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms	avi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\README.TXT	avi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	avi.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\README.TXT	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\README.TXT	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\README.TXT	avi.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	avi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\README.TXT	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat	avi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL	avi.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1032	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe
2344	avi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	980	vssvc.exe
Token: SeRestorePrivilege	980	vssvc.exe
Token: SeAuditPrivilege	980	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1032	2344	avi.exe	86
PID 2344 wrote to memory of 1032	2344	avi.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\avi.exe
C:\Users\Admin\AppData\Local\Temp\avi.exe -path C:\ -id 12345678123456781234567812346578
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\README.TXT

Filesize
1KB

MD5
54b77c18abf54999d39bd42ff62eee1a

SHA1
82623dc9b00051f11eeee19749c963a7413a84e7

SHA256
058d36320a6795759849643c65431a5206815dcf38f05df024b020d95820a66a

SHA512
d15dbddb590ca1a928d0851176a064c4aba05058dbad9408b4bd846270c467345b25866805ca0a5b186812f851c4aad8368e8836f8d6f767e19abe24072198c6

Download Submit