Threat Research

The Phoenix Rises Again – K7 Labs

K7computing

The .tprc ransomware has reappeared with an evolved loader that extracts a PE payload from a .NET resource, injects it into a suspended RegAsm.exe process, establishes C2 connectivity, and encrypts user files using AES before appending a 48‑byte blob and changing extensions to .tprc. The malware achieves persistence (Run registry, PowerShell script), deletes shadow copies, and drops a ransom note (!Restore.txt). #tprc #K7Computing

Keypoints

  • .tprc is a .NET-based ransomware that stores a malicious PE in a resource named “TC0412.properties” and extracts it at runtime.
  • The loader creates RegAsm.exe in suspended mode and injects the extracted TC0412 PE into that process for execution.
  • The payload attempts a C2 connection and, if reachable, proceeds to traverse %USERPROFILE% using NtQueryDirectoryFile to locate files matching a specific inclusion list for encryption.
  • Files are encrypted using an AES-based routine that processes 16-byte blocks, then appends a 48-byte data blob to each encrypted file and renames them with the .tprc extension.
  • The malware drops a ransom note named “!Restore.txt”, sets a custom wallpaper, deletes shadow copies using “wmic.exe shadow copy delete”, and establishes persistence via Run registry key and a PowerShell script executed with -ep bypass.

MITRE Techniques

  • [T1055] Process Injection – Injects the malicious PE into a created RegAsm.exe process started in suspended mode (‘creates the RegAsm.exe process in suspend mode to inject the ‘TC0412’ malicious PE file’).
  • [T1218] Signed Binary Proxy Execution – Uses the legitimate RegAsm.exe binary as the host for injected code (‘injects its malicious payload into host’s regasm.exe’).
  • [T1071] Command and Control – Attempts network communication to a domain for C2 activity (‘tries to connect to the network of the domain given in Fig 3.’).
  • [T1083] File and Directory Discovery – Traverses the filesystem with NtQueryDirectoryFile and checks file extensions against an inclusion list (‘By using NtQueryDirectoryFile API, it traverses through the file system, it checks if the file extension is in the inclusion list’).
  • [T1486] Data Encrypted for Impact – Encrypts user files using AES, appends a 48-byte blob used for decryption, and changes file extensions to .tprc (‘writes at the end of every encrypted file, a data which is size of 48 bytes … changes the extension of encrypted file to .tprc’).
  • [T1490] Inhibit System Recovery – Deletes shadow copies via wmic to prevent recovery (‘deleting shadow copy using command ‘wmic.exe shadow copy delete’’).
  • [T1547.001] Registry Run Keys/Startup Folder – Establishes persistence by setting a Run registry value pointing to a dropped executable (‘sets the registry value of “SoftwareMicrosoftWindowsCurrentVersionRun” for the location of “C:ProgramData0aaaa.exe”’).
  • [T1059.001] PowerShell – Uses PowerShell with execution policy bypass to run a persisted script (‘PowerShell command “C:WindowsSystem32Windows PowerShellv1.0powershell.exe -ep bypass %s” where the location for script was “C:ProgramData0aaaa.ps1”’).

Indicators of Compromise

  • [Hash] Ransomware sample – 96CE6FB0513AC8F9DBCE153F362D6C7D (detection: Ransomware (005a7a3d1)).
  • [File names] Malicious resources and artifacts – TC0412.properties (embedded resource), TC0412 (extracted PE), !Restore.txt (ransom note), and 0aaaa.exe / 0aaaa.ps1 used for persistence.
  • [File extension] Encrypted files – .tprc (extension appended to encrypted files).
  • [Registry] Persistence key – SoftwareMicrosoftWindowsCurrentVersionRun set to C:ProgramDataaaaa.exe (persistence indicator).

The malware is a .NET loader that contains a PE payload in its resources (TC0412.properties). At runtime it extracts that PE, spawns RegAsm.exe in suspended mode, writes the PE into the host process memory, and resumes execution to run the injected payload. The payload attempts to reach a C2 domain before proceeding; if reachable it continues, otherwise it may exit early.

Once active, the ransomware enumerates files under %USERPROFILE% using NtQueryDirectoryFile and compares file extensions against a hardcoded inclusion list (e.g., .doc/.docx/.xls/.xlsx/.ppt/.pptx/.pdf/.jpg/.png/.zip/.rar/.7z/.txt/.log/.mp4/.mp3/.wav/.psd/.dwg). For each matched file it reads data, runs an AES-based encryption routine on 16-byte blocks (using an S-box/key expansion observed in the binary), writes the encrypted content back, appends a 48‑byte blob to the file (likely containing decryption metadata), and renames the file with a .tprc extension. After encrypting files it drops a ransom note named “!Restore.txt”, sets the desktop wallpaper (wp.png), and attempts to remove backups/shadow copies via “wmic.exe shadow copy delete”.

For persistence the malware writes a Run registry entry pointing to C:ProgramDataaaaa.exe and writes a PowerShell script at C:ProgramDataaaaa.ps1 which it executes using “powershell.exe -ep bypass”. The sample also demonstrates use of RegAsm as a living-off-the-land host for process injection and establishes C2 communications to receive further commands or instructions.

Read more: https://labs.k7computing.com/index.php/the-phoenix-rises-again/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint