payload.bin

General
Target

payload.bin.exe

Filesize

N/A

Completed

02-12-2019 23:14

Score
10 /10
SHA256

9d86acff939f2bab3d4a8a8eed8581475189a3e76ba03bbe30e7b36c4b0ffd38

Malware Config
Signatures 38

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Reads Pale Moon browser user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\payload.bin.exe
  • Reads Bromium user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Bromium\User Data\payload.bin.exe
  • Reads Torch user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Torch\User Data\payload.bin.exe
  • Reads Kometa user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Kometa\User Data\payload.bin.exe
  • Reads Chrome SxS user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\payload.bin.exe
  • Loads dropped DLL
    payload.bin.exe

    Reported IOCs

    pidprocess
    4992payload.bin.exe
  • Raccoon

    Description

    It's the RaccAttack!

  • Reads Suhba user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Suhba\User Data\payload.bin.exe
  • Reads Orbitum user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Orbitum\User Data\payload.bin.exe
  • Reads 7star user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\7Star\7Star\User Data\payload.bin.exe
  • Reads Amigo user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Amigo\User Data\payload.bin.exe
  • Reads user profile for Thunderbird email client, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\payload.bin.exe
  • Reads Uran user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\payload.bin.exe
  • Reads Waterfox user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\payload.bin.exe
  • Reads Dragon user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\payload.bin.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3964PING.EXE
  • Windows security modification

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"
  • Reads Go! user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Go!\User Data\payload.bin.exe
  • Reads Superbird user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Superbird\User Data\payload.bin.exe
  • Reads Elements browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Elements Browser\User Data\payload.bin.exe
  • Reads Sputnik user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\payload.bin.exe
  • Checks for installed software on the system

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptionioc
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName
    Key opened\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName
  • Reads Chrome user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\payload.bin.exe
  • Suspicious use of WriteProcessMemory
    SppExtComObj.exepayload.bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1692 wrote to memory of 681692SppExtComObj.exeSLUI.exe
    PID 4992 wrote to memory of 47684992payload.bin.execmd.exe
    PID 4768 wrote to memory of 39644768cmd.exePING.EXE
  • Reads Epic privacy browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\payload.bin.exe
  • Reads Tor Browser user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\TorBro\Profile\payload.bin.exe
  • Reads Firefox user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\payload.bin.exe
  • Reads Secure browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\payload.bin.exe
  • Reads Rockmelt user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\RockMelt\User Data\payload.bin.exe
  • Reads Chromium user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Chromium\User Data\payload.bin.exe
  • Reads Centbrowser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\CentBrowser\User Data\payload.bin.exe
  • Drops file in Windows directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\ESE.TXTsvchost.exe
  • Reads Nichrome user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Nichrome\User Data\payload.bin.exe
  • Reads Mustang user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\payload.bin.exe
  • Reads Chedot user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Chedot\User Data\payload.bin.exe
  • Checks system information in the registry

    Description

    System information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
  • Reads Qip surf user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\QIP Surf\User Data\payload.bin.exe
  • Reads Vivaldi user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Vivaldi\User Data\payload.bin.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
    Reads Pale Moon browser user profile, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Loads dropped DLL
    Reads Suhba user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Amigo user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Uran user data, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Dragon user data, possible credential harvesting
    Reads Go! user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Sputnik user data, possible credential harvesting
    Reads Chrome user data, possible credential harvesting
    Suspicious use of WriteProcessMemory
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Reads Secure browser user data, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Chromium user data, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
      Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        Runs ping.exe
        PID:3964
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      PID:68
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    Drops file in Windows directory
    PID:4408
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    PID:4220
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
    PID:4656
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup
    PID:5012
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
    PID:3664
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • \Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

                  • \Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

                  • \Users\Admin\AppData\Local\Temp\sqlite3.dll

                  • memory/4992-0-0x00000000006A9000-0x00000000006AA000-memory.dmp

                  • memory/4992-1-0x00000000021B0000-0x00000000021B1000-memory.dmp

                  • memory/4992-2-0x00000000021B0000-0x00000000021B1000-memory.dmp