T1190 – Exploit Public-Facing Application
Malware actors take advantage of vulnerable, unmanaged, or misconfigured database servers to gain a foothold on the victim’s network. Based on logs, it executes the Remcos loader via WmiPrvSE.exe
T1059.001 – Command and Scripting Interpreter: PowerShell
The TargetCompany ransomware drops and executes the following file to terminate services and processes:
%User Temp%Vqstxggumqhfwkill$.bat
The malware then executes the following PowerShell command:
%System%WindowsPowerShe11v1.0powershe11. exe ” -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
T1047 – Windows Management Instrumentation
The ransomware runs the parent process:
C:Program FilesMicrosoft SQL ServerMSSQL12.SQLEXPRESSMSSQLBinnsqlservr.exe
The wmic.exe process call then creates the following process:
C:UsersMSSQL$~1AppDataLocalTempV70SP8HC.exe
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
TargetCompany then uses command-line tools to alter registry or file data. It drops and executes the following file that contains commands to delete services and terminate processes:
%User Temp%Dwghpjxmueqxokshkill$.bat
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The ransomware then creates an autostart registry key and adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Qawjvy = %Application Data%AabzaQawjvy.exe
It drops a copy of itself to the following process:
%Application Data%JrpnqmNyovdlxx.exe
It then adds the following unknown macro registry key for persistence:
{HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunNyovdlxx = %Application Data%JrpnqmNyovdlxx.exe}
T1574.010 – Hijack Execution Flow: Services File Permissions Weakness
TargetComany then creates the following processes:
C:WindowsSysWOW64cacls.exe cacls
C:Windowssystem32cmd.exe /g Administrators:f
T1543.003 – Windows Service
The ransomware also adds and runs the following services:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesavast ImagePath = %Windows%avast.exe
T1222.001 – Windows File and Directory Permissions Modification
The ransomware modifies file/directory permissions using the following control access control list commands:
cacls %SystemRoot%{system32|SysWOW64}{String} /g Administrators:f
cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Users:r
cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Administrators:r
cacls %SystemRoot%{system32|SysWOW64}{String} /e /d SERVICE
cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssqlserver
cacls %SystemRoot%{system32|SysWOW64}{String} /e /d network service
cacls %SystemRoot%{system32|SysWOW64}{String} /e /g system:r
cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssql$sqlexpress
In these modifications, the unknown macros include the following:
cmd.exe
net.exe
net1.exe
mshta.exe
FTP.exe
wscript.exe
cscript.exe
WindowsPowerShellv1.0powershell.exe
T1036.005 – Masquerading: Match Legitimate Name or Location
The ransomware then drops its own copy to the following directories for defense evasion:
%Windows%avast.exe
{IP Address}admin$avast.exe
{IP Address}c$avast.exe
T1127.001 – Trusted Developer Utilities Proxy Execution: MSBuild
TargetCompany then injects codes into the following process:
%Windows%Microsoft.NETFrameworkv4.0.30319MSBuild.exe
T1218 – System Binary Proxy Execution
The ransomware also injects codes into the following process:
%Windows%Microsoft.NETFrameworkv4.0.30319InstallUtil.exe
T1070.004 – Indicator Removal on Host
The ransomware then deletes %User Temp%Vqstxggumqhfwkill$.bat after terminating and deleting services/processes.
T1562.001 – Impair Defenses: Disable or Modify Tools
Trend Micro Smart Protection Network logs show that some executed indicators of compromise (IOCs) are related to GMER including the following:
$myuserprofile$desktop911.exe
SHA1:539c228b6b332f5aa523e5ce358c16647d8bbe57
Tagged as PUA.Win32.GMER.YABBI
– Object: $mytemp$kxldrpog.sysi
These create the following registry key:
hklmsystemcurrentcontrolsetserviceskxldrpog 
T1112 – Modify Registry
TargetCompany then deletes the following registry keys:
HKEY_LOCAL_MACHINESOFTWARERaccine
HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
ServicesEventLogApplication
Raccine
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
vssadmin.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
wmic.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
wbadmin.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
bcdedit.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
powershell.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionImage File Execution Options
diskshadow.exe
The registry keys above are deleted using the following command:
reg delete “HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor” /v “AutoRun” /f
T1620 – Reflective Code Loading
The ransomware connects to the following link to load the encrypted payload:
http://{BLOCKED}.{BLOCKED}.44.142/arx-Kbcmvm_Rrkpioky.jpg
T1070.004 – Indicator Removal: File Deletion
The ransomware attempts to delete itself through the following process:
cmd.exe /c ping {BLOCKED}.{BLOCKED}.0.1 && del “{malware path and name}” >> NUL
It encrypts files and appends the “.avast” file extension, among other extensions it has used in the ransomware’s evolution since it was first detected.
T1567 – Exfiltration Over Web Service
Royal uses rclone to exfiltrate stolen information over web service.
T1082 – System Language Discovery
It is worth noting that TargetCompany does not continue its routine if the User Default Language ID of the system is any of the following:
– Russian (0x419)
– Kazakh (0x43F)
– Belarusian (0x423)
– Ukrainian (0x422)
– Tatar (0x444)
T1049 – System Network Connections Discovery
TargetCompany uses the file HQO.exe that performs network scanning in the infected environment.
T1003.001 – OS Credential Dumping: LSASS Memory
Smart Protection Network logs show remnants linked to open-source malware program Mimikatz:
C:UsersAdministratorDesktopResult.txt
– SHA1: 45941756c936fd6decf8269fc110562d91bb443d
– Detection: HS_MIMIKATZLOG.SM
T1071.001 – Application Layer Protocol:
Web Protocols Connects to the following Remcos download URL:
80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp
Connects to the following Kill% download URL:
80[.]66[.]75[.]25:80/kill$[.]exe
T1570 – Lateral Tool Transfer
TargetCompany threat actors use RCE via remote desktop to move laterally within their victim’s network.
T1489 – Service Stop
TargetCompany terminates a list of processes and services if found running.
T1486 – Data Encrypted
The ransomware avoids the encrypting files with the following strings in their file path Expand source:
– msocache
– $windows.~ws
– system volume information
– intel
– appdata
– perflogs
– programdata
– google
– application data
– tor browser
– boot
– $windows.~bt
– mozilla
– boot
– windows.old
– Windows Microsoft.NET
– WindowsPowerShell
– Windows NT
– Windows
– Common Files
– Microsoft Security Client
– Internet Explorer
– Reference
– Assemblies
– Windows Defender
– Microsoft ASP.NET
– Core Runtime
– Package
– Store
– Microsoft Help Viewer
– Microsoft MPI
– Windows Kits
– Microsoft.NET
– Windows Mail
– Microsoft Security Client
– Package Store
– Microsoft Analysis Services
– Windows Portable Devices
– Windows Photo Viewer
– Windows Sidebar
It also avoids encrypting files with the following strings in their file name:
– desktop.ini
– ntuser.dat
– thumbs.db
– iconcache.db
– ntuser.ini
– ntldr
– bootfont.bin
– ntuser.dat.log
– bootsect.bak
– boot.ini
– autorun.inf
– debugLog.txt
– MSBuild.exe
– RECOVERY FILES.txt
Additionally, it avoids encrypting files with the following extensions:
– “.FARGO3”
– “.MALLOX”
– “.exploit”
– “.avast”
– “.consultransom”
– “.devicZz”
T1490 – Inhibit System Recovery
TargetCompany then deletes volume shadow copies using the following commands:
– vssadmin delete shadows /all /quiet
– cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
– cmd.exe /c bcdedit /set {current} recoveryenabled no