Urausy ransomware | Joachim De Zutter
February 2019
File size: 112640
MD5: b172a987e846fb1a9a1dd5431c023282
SHA1: ce597b8395e5b5d9e11882e8231888cc05f5d8c0
SHA256: 8d45088e2553ab3c88567b086dcbd3f6b354d6e05ad5ece9928bc025ed02c473
SSDeep: 1536:8Orf8p9C9uuC9qFjvPoP9VetR0YsTt2eReZytM1cWhlG8VSM03qvsa4Cb:6buCIjvAlVetR0YsTPReouhg80RYb
VirusTotal report

At 0x409CED there's a CALL to EDI, where code was placed to replace the current process image.

Dynamically imports DLL functions by their CRC32 hash:
CRC32("GetModuleHandleA") = 0xB1866570
CRC32("GetProcAddress") = 0xC97C1FFF
CRC32("ZwUnmapViewOfSection") = 0x9D35F923
CRC32("GlobalAlloc") = 0x7FBC7431
CRC32("GetSystemTime") = 0xD22204E4
CRC32("UnmapViewOfFile") = 0x391AB6AF
CRC32("VirtualFree") = 0xCD53F5DD
CRC32("VirtualAlloc") = 0x09CE0D4A
CRC32("VirtualProtect") = 0x10066F2F
CRC32("LoadLibraryA") = 0x3FC1BD8D
CRC32("LdrShutdownProcess") = 0x7C3D1272
CRC32("RtlDecompressBuffer") = 0x52FE26D8
CRC32("RegCreateKeyExA") = 0x54D56398
CRC32("RegOpenKeyExA") = 0xC13A7AD3
CRC32("RegCloseKey") = 0xA9290135
CRC32("RegSetValueExA") = 0x4F0DAB99
CRC32("RegQueryValueExA") =  0xB039ADFE
...
Uses RtlDecompressBuffer to decompress an executable in memory using the LZNT1 algorithm which will replace the current process image.
The entry point of the replaced image is 0x401000.

Sections found in memory:
.text
Virtual Size    : 0x00006F20
Virtual Address : 0x00001000
Raw Size        : 0x00000400
Raw Offset      : 0x00000400
Characteristics : 0x60000020
.data
Virtual Size    : 0x0000A2AC
Virtual Address : 0x00008000
Raw Size        : 0x0000A400
Raw Offset      : 0x00000800
Characteristics : 0xC0000040
.idata
Virtual Size    : 0x00000164
Virtual Address : 0x00013000
Raw Size        : 0x00000200
Raw Offset      : 0x0000AC00
Characteristics : 0xC0000040
.reloc
Virtual Size    : 0x00000040
Virtual Address : 0x00014000
Raw Size        : 0x00000200
Raw Offset      : 0x0000AE00
Characteristics : 0x40000040
Modifies memory permissions (VirtualProtect) to perform inline hooking of NTDLL!ZwClose to jump to 0x401167.

At 0x401260 there's a CALL to EAX, where some position-independent code was decoded to.

Dynamically imports DLL functions by their CRC32 hash again:
CRC32("LdrLoadDll") = 0x183679F2
CRC32("RtlInitUnicodeString") = 0x7AA7B69B
CRC32("ZwAllocateVirtualMemory") = 0xD820A574
CRC32("ZwClose") = 0x180C0D23
CRC32("ZwCreateSection") = 0x2C919477
CRC32("ZwFreeVirtualMemory") = 0xF97A25D4
CRC32("ZwMapViewOfSection") = 0xD287EE26
CRC32("ZwOpenProcess") = 0xD8D39F09
CRC32("ZwProtectVirtualMemory") = 0xD2654135
CRC32("ZwQueryInformationProcess") = 0x5E7088ED
CRC32("ZwQuerySystemInformation") = 0xF775FBC7
CRC32("ZwReadVirtualMemory") = 0x918ED998
CRC32("ZwSetInformationThread") = 0xC8277BF4
CRC32("ZwTerminateProcess") = 0xE26D605A
CRC32("ZwUnmapViewOfSection") = 0x9D35F923
CRC32("CloseHandle") = 0xB09315F4
CRC32("CompareStringW") = 0x2F0CD997
CRC32("CopyFileW") = 0xF54D69C8
CRC32("CreateFileA") = 0x553B5C78
CRC32("CreateFileW") = 0xA1EFE929
CRC32("CreateProcessW") = 0x5C856C47
CRC32("CreateRemoteThread") = 0xFF808C10
CRC32("CreateThread") = 0x906A06B0
CRC32("DeleteFileA") = 0x919B6BCB
CRC32("DeleteFileW") = 0x654FDE9A
CRC32("ExitProcess") = 0x251097CC
CRC32("GetComputerNameW") = 0x4E5771A7
CRC32("GetFileAttributesW") = 0xC4B4A94D
CRC32("GetFileTime") = 0x3FAFFD4A
CRC32("GetModuleFileNameW") = 0xFC6B42F1
CRC32("GetModuleHandleW") = 0x4552D021
CRC32("GetSystemDirectoryW") = 0x72641C0B
CRC32("GetSystemInfo") = 0x763FADF6
CRC32("GetTempFileNameW") = 0x165D9659
CRC32("GetTempPathA") = 0xF3771641
CRC32("GetTempPathW") = 0x07A3A310
CRC32("GetVersionExW") = 0x2B53C31B
CRC32("GetVolumeInformationW") = 0xD52D474A
CRC32("GetWindowsDirectoryW") = 0x0B27C7EF
CRC32("ReadFile") = 0x095C03D0
CRC32("ResumeThread") = 0x3872BEB9
CRC32("SetFilePointer") = 0xEFC7EA74
CRC32("SetFileTime") = 0x21804A03
CRC32("Sleep") = 0xCEF2EDA8
CRC32("VirtualAlloc") = 0x09CE0D4A
CRC32("VirtualAllocEx") = 0xE62E824D
CRC32("VirtualFree") = 0xCD53F5DD
CRC32("WideCharToMultiByte") = 0x9A80E589
CRC32("WriteFile") = 0xCCE95612
CRC32("WriteProcessMemory") = 0x4F58972E
CRC32("lstrcatA") = 0x0649685D
CRC32("lstrcatW") = 0xF29DDD0C
CRC32("lstrcpyA") = 0xAE03DF57
CRC32("lstrcpyW") = 0x5AD76A06
CRC32("lstrlenA") = 0xE90E2A0C
CRC32("lstrlenW") = 0x1DDA9F5D
CRC32("AdjustTokenPrivileges") = 0x0DE3E5CF
CRC32("GetUserNameA") = 0x59761A93
CRC32("LookupPrivilegeValueW") = 0x2E530A33
CRC32("OpenProcessToken") = 0xF9C60615
CRC32("RegCloseKey") = 0xA9290135
CRC32("RegDeleteValueA") = 0xF071B83D
CRC32("RegFlushKey") = 0xB1EEF671
CRC32("RegOpenKeyExA") = 0xC13A7AD3
CRC32("RegOpenKeyExW") = 0x35EECF82
CRC32("RegQueryValueExA") = 0xB039ADFE
CRC32("RegQueryValueExW") = 0x44ED18AF
CRC32("RegSetValueExW") = 0xBBD91EC8
CRC32("CloseDesktop") = 0x4C9F4AE4
CRC32("CreateDesktopW") = 0x94DD41DA
CRC32("CreateWindowExW") = 0xC6032F84
CRC32("DefWindowProcW") = 0x8BC26465
CRC32("DispatchMessageW") = 0x5570931F
CRC32("ExitWindowsEx") = 0xA03D1F4A
CRC32("GetClientRect") = 0xE07C965F
CRC32("GetMessageW") = 0x7520A715
CRC32("GetShellWindow") = 0x021F0257
CRC32("GetSystemMetrics") = 0x05C64EA2
CRC32("GetWindowDC") = 0x58CFAF88
CRC32("GetWindowThreadProcessId") = 0xF8EE80EC
CRC32("LoadCursorW") = 0xF79942EA
CRC32("LoadIconW") = 0x584A3001
CRC32("OpenDesktopW") = 0x0E84B90E
CRC32("RegisterClassW") = 0xD1A2BB9C
CRC32("ReleaseDC") = 0xDE8DA996
CRC32("SendMessageA") = 0x509362AB
CRC32("SetForegroundWindow") = 0xA753EFCF
CRC32("SwitchDesktop") = 0x028D1D30
CRC32("TranslateMessage") = 0x5DD9CE14
CRC32("wsprintfA") = 0xD4C9B887
CRC32("wsprintfW") = 0x201D0DD6
Performs code injection into the explorer.exe process. (GetShellWindow, GetWindowThreadProcessId, NtOpenProcess, ZwCreateSection, NtMapViewOfSection, ...)
To transfer control to the injected code, an inline hook is placed at NTDLL!ZwClose in the explorer.exe process.
A call instruction is written there, to a trampoline function which looks like this:
0x7C97DFF0:    mov     eax, 0x1600000
0x7C97DFF5:    sub     dword ptr [esp], 5
0x7C97DFF9:    jmp     eax
Which jumps to position-independent code looking like this:
0x1600000:	dec	eax
0x1600001:	xor	eax, eax
0x1600003:	call	0x1600008
0x1600008:	pop	ecx
0x1600009:	dec	eax
0x160000A:	lea	ecx, dword ptr [ecx - 8]
0x160000D:	jns	0x1600018
0x160000F:	xor	eax, eax
0x1600011:	add	eax, dword ptr [ecx + 0x40]
0x1600014:	jne	0x160001f
0x1600016:	jmp	0x1600023
0x1600018:	dec	eax
0x1600019:	add	eax, dword ptr [ecx + 0x48]
0x160001C:	je	0x1600023
0x160001E:	dec	eax
0x160001F:	add	eax, ecx
0x1600021:	jmp	eax
0x01600000: 48 31 C0 E8 00 00 00 00  59 48 8D 49 F8 79 09 33 H1......YH.I.y.3
0x01600010: C0 03 41 40 75 09 EB 0B  48 03 41 48 74 05 48 03 ..A@u...H.AHt.H.
0x01600020: C1 FF E0 C3 00 00 00 00  00 00 00 00 00 00 00 00 ................
0x01600030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ................
The position-independent code removes the inline hook of NTDLL!ZwClose.

A svchost.exe process is created in suspended state and code is injected into the process.

From the svchost.exe process using WININET!InternetOpenUrlA there are HTTP requests for URLs like:
http://youtubeknocking.pw/article/nq_zajpfcgtdhxsdkvqbcxffaglpigbjtcroe-ebxcrdezlmrz-mripcjatqpzj_srnl_sitsdruovkltna-hepaxt.php
http://youtubeknocking.pw/forum/stzhrubtoahj-yqyb-zhjvohqrcuvkdwnddh-yjhc-yguu_rijvatliphzj_owfzlxmpyscq_vlyn-snwi-oxyh_cltu-qs.php
http://sendingtextformatting.biz/forum/srznyjbqricoarzmys-bajkrcdgyqvytwpiusbl-pqipceiovnkq-ygsnfqoyifamqciqks-dhqc-wbgs_ukgk_akdd.php
http://sendingtextformatting.biz/manual/coarzmfrqs-rafy-abbc_gxxs_gbsy_ihdrye-nauy-ofwf_myuats-nditxsspxxnn-gjrc-yhnwnluyihifeyqrsrlzam-.html
http://serverupdateflashpoint.itemdb.com/forum/ptptptptptpt-ptpt-uqmp-bhjl-stus-plfm-pydhuknhyvpaauvyvqxq-cqez-oncneyatqt-nhnehtuqvl-yxph_zjuu-.php
...
with user agent "Opera/11.80 (Windows NT 5.1; en) Presto/2.9.68 Version/11.52"