Payload.bin

General
Target

Payload.bin.exe

Filesize

27KB

Completed

19-09-2021 22:34

Score
10 /10
MD5

c33318247f0f443ed1a25af2f9b76cf0

SHA1

30388f9d86200fec836bd2995f87a66c06cf3d9e

SHA256

c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

Malware Config

Extracted

Family njrat
Version v2.0
Botnet HacKed
C2

efficient-oil.auto.playit.gg:55457

Attributes
reg_key
Windows
splitter
|-F-|
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    Payload.exe

    Reported IOCs

    pidprocess
    488Payload.exe
  • Drops startup file
    Payload.bin.exePayload.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.bin.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.exe
  • Adds Run key to start application
    Payload.exePayload.bin.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"Payload.bin.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"Payload.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    Payload.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
    Token: 33488Payload.exe
    Token: SeIncBasePriorityPrivilege488Payload.exe
  • Suspicious use of WriteProcessMemory
    Payload.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 664 wrote to memory of 488664Payload.bin.exePayload.exe
    PID 664 wrote to memory of 488664Payload.bin.exePayload.exe
    PID 664 wrote to memory of 488664Payload.bin.exePayload.exe
    PID 664 wrote to memory of 1104664Payload.bin.exeattrib.exe
    PID 664 wrote to memory of 1104664Payload.bin.exeattrib.exe
    PID 664 wrote to memory of 1104664Payload.bin.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1104attrib.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"
    Drops startup file
    Adds Run key to start application
    Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:488
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      Views/modifies file attributes
      PID:1104
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\Payload.exe

                      MD5

                      c33318247f0f443ed1a25af2f9b76cf0

                      SHA1

                      30388f9d86200fec836bd2995f87a66c06cf3d9e

                      SHA256

                      c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

                      SHA512

                      6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557

                    • C:\Users\Admin\AppData\Local\Temp\Payload.exe

                      MD5

                      c33318247f0f443ed1a25af2f9b76cf0

                      SHA1

                      30388f9d86200fec836bd2995f87a66c06cf3d9e

                      SHA256

                      c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81

                      SHA512

                      6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

                      MD5

                      ccc1eae983999b18b05cdc4a9d39d334

                      SHA1

                      7f42d03d9a6bc8cdcc25464c97d5e37097772493

                      SHA256

                      f97ea25cffdfd921e7c81d80fcad6baa7918b643c24d010acfc65601db93e01a

                      SHA512

                      b2bc86a732c148d38d8c721b469a2159f653c7fd534ab4e3b5fc515c393a8651742e17a872daad6b0c61f8e7cc509fb0881567ac165ba7bdc98697260f879a58

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      6e8424fdecfc98f2137488d080139a68

                      SHA1

                      727de20ac4b5717f0cc33b74499baa8949c5ef9a

                      SHA256

                      367ca209d93eb5a11e07266f051c2b8bcd3d1c6d347253952cc0e832d855a51b

                      SHA512

                      f6eec81cabf8b458c16c9df9a2d48dd8d48dce81c857e1806a8d55229058c7d74df6d50f34087a9d1734237ee1a98b14f8bcf0a731cd801fb1ad196dcd7001c7

                    • memory/488-115-0x0000000000000000-mapping.dmp

                    • memory/488-121-0x0000000002430000-0x0000000002431000-memory.dmp

                    • memory/664-114-0x0000000002C10000-0x0000000002C11000-memory.dmp

                    • memory/1104-118-0x0000000000000000-mapping.dmp