Ransomware Spotlight: TargetCompany – Security News

T1190 – Exploit Public-Facing Application
Malware actors take advantage of vulnerable, unmanaged, or misconfigured database servers to gain a foothold on the victim’s network. Based on logs, it executes the Remcos loader via WmiPrvSE.exe

T1059.001 – Command and Scripting Interpreter: PowerShell
The TargetCompany ransomware drops and executes the following file to terminate services and processes:
%User Temp%Vqstxggumqhfwkill$.bat

The malware then executes the following PowerShell command:
%System%WindowsPowerShe11v1.0powershe11. exe ” -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

T1047 – Windows Management Instrumentation
The ransomware runs the parent process:
C:Program FilesMicrosoft SQL ServerMSSQL12.SQLEXPRESSMSSQLBinnsqlservr.exe

The wmic.exe process call then creates the following process:

T1059.003 – Command and Scripting Interpreter: Windows Command Shell
TargetCompany then uses command-line tools to alter registry or file data. It drops and executes the following file that contains commands to delete services and terminate processes:
%User Temp%Dwghpjxmueqxokshkill$.bat

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The ransomware then creates an autostart registry key and adds the following registry entries to enable its automatic execution at every system startup:
Qawjvy =  %Application Data%AabzaQawjvy.exe

It drops a copy of itself to the following process:
%Application Data%JrpnqmNyovdlxx.exe

It then adds the following unknown macro registry key for persistence:
{HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunNyovdlxx = %Application Data%JrpnqmNyovdlxx.exe}

T1574.010 – Hijack Execution Flow: Services File Permissions Weakness
TargetComany then creates the following processes:
C:WindowsSysWOW64cacls.exe cacls

C:Windowssystem32cmd.exe /g Administrators:f

T1543.003 – Windows Service
The ransomware also adds and runs the following services:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesavast ImagePath = %Windows%avast.exe

T1222.001 – Windows File and Directory Permissions Modification
The ransomware modifies file/directory permissions using the following control access control list commands:

cacls %SystemRoot%{system32|SysWOW64}{String} /g Administrators:f

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Users:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Administrators:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d SERVICE

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssqlserver

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d network service

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g system:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssql$sqlexpress
In these modifications, the unknown macros include the following:


T1036.005 – Masquerading: Match Legitimate Name or Location
The ransomware then drops its own copy to the following directories for defense evasion:
{IP Address}admin$avast.exe
{IP Address}c$avast.exe

T1127.001 – Trusted Developer Utilities Proxy Execution: MSBuild
TargetCompany then injects codes into the following process:


T1218 – System Binary Proxy Execution
The ransomware also injects codes into the following process:


T1070.004 – Indicator Removal on Host
The ransomware then deletes %User Temp%Vqstxggumqhfwkill$.bat after terminating and deleting services/processes.

T1562.001 – Impair Defenses: Disable or Modify Tools
Trend Micro Smart Protection Network logs show that some executed indicators of compromise (IOCs) are related to GMER including the following:



Tagged as PUA.Win32.GMER.YABBI
– Object: $mytemp$kxldrpog.sysi
These create the following registry key:


T1112 – Modify Registry
TargetCompany then deletes the following registry keys:



Windows NTCurrentVersionImage File Execution Options

Windows NTCurrentVersionImage File Execution Options

Windows NTCurrentVersionImage File Execution Options

Windows NTCurrentVersionImage File Execution Options

Windows NTCurrentVersionImage File Execution Options

Windows NTCurrentVersionImage File Execution Options
The registry keys above are deleted using the following command:

reg delete “HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor” /v “AutoRun” /f

T1620 – Reflective Code Loading
The ransomware connects to the following link to load the encrypted payload:


T1070.004 – Indicator Removal: File Deletion
The ransomware attempts to delete itself through the following process:

cmd.exe /c ping {BLOCKED}.{BLOCKED}.0.1 && del “{malware path and name}” >> NUL
It encrypts files and appends the “.avast” file extension, among other extensions it has used in the ransomware’s evolution since it was first detected.

T1567 – Exfiltration Over Web Service
Royal uses rclone to exfiltrate stolen information over web service.

T1082 – System Language Discovery
It is worth noting that TargetCompany does not continue its routine if the User Default Language ID of the system is any of the following:
– Russian (0x419)
– Kazakh (0x43F)
– Belarusian (0x423)
– Ukrainian (0x422)
– Tatar (0x444)

T1049 – System Network Connections Discovery
TargetCompany uses the file HQO.exe that performs network scanning in the infected environment.

T1003.001 – OS Credential Dumping: LSASS Memory
Smart Protection Network logs show remnants linked to open-source malware program Mimikatz:

– SHA1: 45941756c936fd6decf8269fc110562d91bb443d

T1071.001 – Application Layer Protocol:
Web Protocols Connects to the following Remcos download URL:

Connects to the following Kill% download URL:

T1570 – Lateral Tool Transfer
TargetCompany threat actors use RCE via remote desktop to move laterally within their victim’s network.

T1489 – Service Stop
TargetCompany terminates a list of processes and services if found running.

T1486 – Data Encrypted
The ransomware avoids the encrypting files with the following strings in their file path Expand source:
– msocache
– $windows.~ws
– system volume information
– intel
– appdata
– perflogs
– programdata
– google
– application data
– tor browser
– boot
– $windows.~bt
– mozilla
– boot
– windows.old
– Windows Microsoft.NET
– WindowsPowerShell
– Windows NT
– Windows
– Common Files
– Microsoft Security Client
– Internet Explorer
– Reference
– Assemblies
– Windows Defender
– Microsoft ASP.NET
– Core Runtime
– Package
– Store
– Microsoft Help Viewer
– Microsoft MPI
– Windows Kits
– Microsoft.NET
– Windows Mail
– Microsoft Security Client
– Package Store
– Microsoft Analysis Services
– Windows Portable Devices
– Windows Photo Viewer
– Windows Sidebar
It also avoids encrypting files with the following strings in their file name:
– desktop.ini
– ntuser.dat
– thumbs.db
– iconcache.db
– ntuser.ini
– ntldr
– bootfont.bin
– ntuser.dat.log
– bootsect.bak
– boot.ini
– autorun.inf
– debugLog.txt
– MSBuild.exe
Additionally, it avoids encrypting files with the following extensions:
– “.FARGO3”
– “.exploit”
– “.avast”
– “.consultransom”
– “.devicZz”

T1490 – Inhibit System Recovery
TargetCompany then deletes volume shadow copies using the following commands:
– vssadmin delete shadows /all /quiet
– cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
– cmd.exe /c bcdedit /set {current} recoveryenabled no

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-targetcompany