Payload.bin

General
Target

Payload.bin.exe

Filesize

27KB

Completed

19-09-2021 22:34

Score
10 /10
MD5

c33318247f0f443ed1a25af2f9b76cf0

SHA1

30388f9d86200fec836bd2995f87a66c06cf3d9e

SHA256

c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

Malware Config

Extracted

Family njrat
Version v2.0
Botnet HacKed
C2

efficient-oil.auto.playit.gg:55457

Attributes
reg_key
Windows
splitter
|-F-|
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    Payload.exe

    Reported IOCs

    pidprocess
    560Payload.exe
  • Drops startup file
    Payload.bin.exePayload.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.bin.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.exe
  • Loads dropped DLL
    Payload.bin.exe

    Reported IOCs

    pidprocess
    1380Payload.bin.exe
  • Adds Run key to start application
    Payload.bin.exePayload.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"Payload.bin.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    Payload.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
    Token: 33560Payload.exe
    Token: SeIncBasePriorityPrivilege560Payload.exe
  • Suspicious use of WriteProcessMemory
    Payload.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1380 wrote to memory of 5601380Payload.bin.exePayload.exe
    PID 1380 wrote to memory of 5601380Payload.bin.exePayload.exe
    PID 1380 wrote to memory of 5601380Payload.bin.exePayload.exe
    PID 1380 wrote to memory of 5601380Payload.bin.exePayload.exe
    PID 1380 wrote to memory of 5961380Payload.bin.exeattrib.exe
    PID 1380 wrote to memory of 5961380Payload.bin.exeattrib.exe
    PID 1380 wrote to memory of 5961380Payload.bin.exeattrib.exe
    PID 1380 wrote to memory of 5961380Payload.bin.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    596attrib.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"
    Drops startup file
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:560
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      Views/modifies file attributes
      PID:596
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\Payload.exe

                      MD5

                      c33318247f0f443ed1a25af2f9b76cf0

                      SHA1

                      30388f9d86200fec836bd2995f87a66c06cf3d9e

                      SHA256

                      c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

                      SHA512

                      6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557

                    • C:\Users\Admin\AppData\Local\Temp\Payload.exe

                      MD5

                      c33318247f0f443ed1a25af2f9b76cf0

                      SHA1

                      30388f9d86200fec836bd2995f87a66c06cf3d9e

                      SHA256

                      c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

                      SHA512

                      6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

                      MD5

                      9a8885b9a79d716f538335c30cd86b24

                      SHA1

                      5fd779d856102b05185fb9c96aa17af04e764a81

                      SHA256

                      eb43addc6182010e1e01e61009e181a8af6bd70fbca9f01a82165dc486c56eb9

                      SHA512

                      28537a6cc0280d70c3eb298d05afadb67cd45710f2696fd42258dfb78fe8034bb2351e8fc1b79a9ee57f5b3306450bea03abacdb23b703d989b4b455dc1dd0e4

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      68a7afc4f90089cbcf6fa62b167041dc

                      SHA1

                      71012753f0a901d1b248ce87b8330017844b6b50

                      SHA256

                      b05da9dae25c4df3f5f10eb23d81f942378a0dd51ce83426067e7f9f8d4a08e4

                      SHA512

                      b5ca8871b2a4908b4d0340735a1347cb968d058992b2ca433618645172b5b8844e20a612697c512b66f4f27d9ef8686f8927b6c114f720cc09c371b1b6d772e6

                    • \Users\Admin\AppData\Local\Temp\Payload.exe

                      MD5

                      c33318247f0f443ed1a25af2f9b76cf0

                      SHA1

                      30388f9d86200fec836bd2995f87a66c06cf3d9e

                      SHA256

                      c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

                      SHA512

                      6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557

                    • memory/560-62-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                    • memory/560-56-0x0000000000000000-mapping.dmp

                    • memory/596-58-0x0000000000000000-mapping.dmp

                    • memory/1380-53-0x0000000075241000-0x0000000075243000-memory.dmp

                    • memory/1380-54-0x0000000000530000-0x0000000000531000-memory.dmp