# God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor **[dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html](https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html)** Mon 02 December 2019 in [Ransomware](https://dissectingmalwa.re/category/ransomware.html) Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯ I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. **_A general disclaimer as always: downloading and running the samples linked below_** **_will lead to the encryption of your personal data, so be f$cking careful. Also check_** **_with your local laws as owning malware binaries/ sources might be illegal depending_** **_on where you live._** [SaveTheQueen @ AnyRun |](https://app.any.run/tasks/2821049e-3bc8-4225-8ef7-ae9fde3d576b/) [VirusTotal |](https://www.virustotal.com/gui/file/3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded/detection) [HybridAnalysis -->](https://www.hybrid-analysis.com/sample/3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded/5ddc1e8586b8c95ec2571896) `sha256` ``` 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded ``` As always one of my go to tools is DetectItEasy. In this case it tells us that we are dealing with a .NET Application and you know what that means: Let's whip out the .NET Analysis VM and take a look. ----- This looks pretty promising. Because .NET Code is not compiled to Machine Language directly but rather to the Common Intermediate Language (CIL) just in time we can inspect it [without the need for a disassembler with Telerik JustDecompile or](https://www.telerik.com/products/decompiler.aspx) [dnSpy.](https://github.com/0xd4d/dnSpy) Looking at the Output it looks like we have a Powershell Script in front of us that has been [run through PS2EXE, a kind of "converter" (a wrapper to be more precise) for ps1 scripts to](https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1) PE executables. ----- Decoding the Base64 string we got from the binary gets us two more blocks of what looks like base64 strings and a few lines of PowerShell code between it. Decompressing one of the gzip blocks yields us a Portable Executable! ----- The dropped .SaveTheQueen.LOG was found in C:\ProgramData\. SaveTheQueen does **not leave a ransomnote or other information to contact the crooks.** ``` CLR: 2.0.50727.5420 Drive: C:\ ``` [Because the Registry edits resemble something seen before in LockerGoga I'd like to make](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware) a short comparison between the two stains. **"Feature"** **SaveTheQueen** **LockerGoga** _Ransomnote_ none txt File in %Desktop% _Logging_ C:\ProgramData\SaveTheQueen.LOG C:\.log _Registry_ Restartmanager\Session00xx Restartmanager\Session00xx _Binary_ .NET Visual C++ ### Update 19.12.2019: A new variant of the SaveTheQueen Ransomware was found the MalwareHunterTeam. I'll update this article asap. The SaveTheQueen ransomware is 😂... The ransomware sample -> ConfuserEx -> shellcode -> embed in C# injector dll (base64 encoded) -> PowerShell script (base64 + GZip) -> PS2EXE - and not even [sure if that's all...@demonslay335](https://twitter.com/demonslay335?ref_src=twsrc%5Etfw) [— MalwareHunterTeam (@malwrhunterteam) December 18, 2019](https://twitter.com/malwrhunterteam/status/1207378905386094593?ref_src=twsrc%5Etfw) ----- ## MITRE ATT&CK _T1035 --> Service Execution --> Execution_ _T1215 --> Kernel Modules and Extensions --> Persistence_ _T1179 --> Hooking --> Persistence_ _T1055 --> Process Injection --> Privilege Escalation_ _T1179 --> Hooking --> Privilege Escalation_ _T1045 --> Software Packing --> Defense Evasion_ _T1055 --> Process Injection --> Defense Evasion_ _T1112 --> Modify Registry --> Defense Evasion_ _T1179 --> Hooking --> Credential Access_ _T1012 --> Query Registry --> Discovery_ _T1046 --> Network Service Scanning --> Discovery_ _T1120 --> Peripheral Device Discovery --> Discovery_ _T1057 --> Process Discovery --> Discovery_ ## IOCs ### SaveTheQueen ``` SaveTheQueen.exe --> SHA256: 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded SSDEEP: 12288:a4Gvlgr3S/Jsftu5hU17WFKp4NpBvUssesKtIKy7vr4YT0PgZ304lGrDJo8YFfDY:ayw3ZwEaSAVX8Zy Registry Keys ``` ----- ``` HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx Owner --> 6C 0A 00 00 26 23 E1 EB AC A6 D5 01 HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx SessionHash --> 32 Byte Hex HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx RegFiles0000 --> Files to be encrypted/stolen HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx RegFilesHash --> 32 Byte Hex ``` -----