Payload — Technical Analysis / Windows

Payload Ransomware (Windows)

1. Sample Identification

This is the Windows variant of the Payload ransomware family, companion to the ESXi/Linux version (bed8d175...). Compiled with MSVC, uses the Concurrency Runtime (Concurrency:: symbols), and makes extensive use of NT Native APIs resolved at runtime. Features AVX2/SSE2-optimized ChaCha20 encryption, Curve25519 key exchange, IOCP-based multi-threaded file processing, ETW patching, and self-deletion via NTFS ADS rename.

Imports (4 DLLs)

2. Infrastructure

The infrastructure is shared with the ESXi variant (same onion addresses), but per-victim credentials differ.

3. Ransom Note

Filename

RECOVER_payload.txt — written to every traversed directory via write_ransom_note @ 0x409EB5.

Encryption

The note content is stored as a base64-encoded, RC4-encrypted blob in .rdata (1896 bytes encrypted). The RC4 key is itself double-base64 encoded: - Outer: aFFFUElOdVRZMmx5dHVmTERwSlFkVmtyV2xvdkMxUVI= - Inner: hQEPINuTY2lytufLDpJQdVkrWlovC1QR (32-byte ASCII key)

Full Ransom Note

Welcome to Payload!

The next 72 hours will determine certain factors in the life of your company: 
the publication of the file tree, which we have done safely and unnoticed by all of you, 
and the publication of your company's full name on our luxurious blog.
NONE of this will happen if you contact us within this time frame and our negotiations are favorable.

We are giving you 240 hours to:
1. familiarize yourself with our terms and conditions,
2. begin negotiations with us,
3. and successfully conclude them.
The timer may be extended if we deem it necessary (only in the upward direction).
Once the timer expires, all your information will be posted on our blog.

ATTENTION!
Contacting authorities, recovery agencies, etc. WILL NOT HELP YOU!
At best, you will waste your money and lose some of your files, which they will carefully take to restore!
You should also NOT turn off, restart, or put your computer to sleep.
In the future, such mistakes can make the situation more expensive and the files will not be restored!
We DO NOT recommend doing anything with the files, as this will make it difficult to recover them later!

When contacting us:
you can request up to 3 files from the file tree, 
you can request up to 3 encrypted files up to 15 megabytes 
so that we can decrypt them and you understand that we can do it.

First, you should install Tor Browser:
1. Open: https://www.torproject.org/download
2. Choose your OS and select it
3. Run installer
4. Enjoy!

In countries where tor is prohibited, we recommend using bridges, 
which you can take: https://bridges.torproject.org/

You can read:
http://payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd.onion (Tor)

To start negotiations, go to http://payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd.onion and login:
User: [SNIP]
Password: [SNIP]

Your ID to verify: [SNIP]

4. Execution Flow

main @ 0x40A9C7 (0x5A6 bytes)

1.  resolve_nt_native_apis()                  → NtCreateFile, NtReadFile, NtWriteFile, etc.
2.  resolve_wow64_apis()                      → Wow64DisableWow64FsRedirection
3.  Parse CLI arguments:
    --log           → enable logging to \\?\C:\payload.log
    --p <path>      → target specific path
    --algo <name>   → force AVX2/SSE2/default
    --threads <n>   → override thread count
    --background    → run as detached background process
    --m             → skip mutex check
    --n             → skip ransom note writing
    --d             → skip auto-deletion (self-delete)
    --k             → skip process/service killing
    --s             → skip something (unused?)
    --bypass-etw    → patch ETW functions in ntdll
    --l             → delete logs
    --i             → ignore all file extension filters
4.  CreateMutexW("MakeAmericaGreatAgain")     → single instance
5.  If not --background:
    a. Re-launch self with --background flag  → detached execution
6.  If --background:
    a. If --bypass-etw: patch_etw_functions()
    b. pre_encryption_setup()
    c. encryption_orchestrator()
7.  ReleaseMutex → exit

pre_encryption_setup @ 0x40A855

1.  open_log_file()                           → \\?\C:\payload.log via NtCreateFile
2.  SetProcessShutdownParameters(0, 0)        → last to shut down
3.  SHEmptyRecycleBinA(NULL, NULL, 7)         → empty recycle bin silently
4.  If NOT --k:
    a. delete_shadow_copies()                 → vssadmin delete shadows
    b. kill_services()                        → 44 services stopped
    c. kill_processes()                       → 31 processes terminated
5.  If NOT --n: write_ransom_note()           → RECOVER_payload.txt
6.  If NOT --d: self_delete_via_ads_rename()  → NTFS ADS rename trick

encryption_orchestrator @ 0x40A22C (0x628 bytes)

1.  Decode embedded Curve25519 public key (base64 → 32 bytes)
2.  Validate pubkey length >= 32 bytes
3.  cpuid_detect_features()                   → check AVX2/SSE2
4.  Select ChaCha20 implementation:
    - AVX2:    chacha20_block_avx2    @ 0x402C2E (4619 bytes)
    - SSE2:    chacha20_block_sse2    @ 0x401DBD (3596 bytes)
    - Scalar:  chacha20_block_scalar  @ 0x401992 (1067 bytes)
5.  Thread count = CLI --threads or GetLogicalProcessorInformation
6.  Queue size = 4 * cpu_cores (min 2)
7.  CreateIoCompletionPort()
8.  Spawn 2 * cpu_cores worker threads (iocp_worker_thread)
9.  If --p: encrypt specific path
    Else: enumerate_drives() → recursive_file_traversal() per drive
10. Wait for all workers to complete
11. PostQueuedCompletionStatus(NULL) × workers → signal shutdown
12. Join all threads

5. Encryption System

Architecture

encryption_orchestrator
├── Decode Curve25519 pubkey from base64
├── CPUID → select ChaCha20 variant (AVX2 / SSE2 / scalar)
├── CreateIoCompletionPort
├── Spawn 2*N worker threads
│   └── iocp_worker_thread @ 0x40A1A2
│       └── GetQueuedCompletionStatus (infinite wait)
│           └── encrypt_single_file @ 0x40946F
├── enumerate_drives (A:-Z: via NT API)
│   └── recursive_file_traversal @ 0x4099C0
│       ├── Skip "." and ".."
│       ├── Skip directories in exclusion list
│       ├── Skip files matching ransom note name
│       ├── Skip files with excluded extensions
│       ├── Skip files matching whitelisted extensions
│       ├── Rate-limit: SwitchToThread if queue full
│       └── PostQueuedCompletionStatus (file path)
└── Wait → signal workers → cleanup

encrypt_single_file @ 0x40946F (0x551 bytes)

1.  NtCreateFile(path, GENERIC_READ|WRITE|DELETE|SYNCHRONIZE)
2.  NtQueryInformationFile → get file size
3.  LockFileEx(EXCLUSIVE)
4.  CryptGenRandom(32) → ephemeral ChaCha20 key
5.  CryptGenRandom(12) → ChaCha20 nonce
6.  Clamp key for X25519: key[0] &= 0xF8, key[31] = (key[31] & 0x3F) | 0x40
7.  x25519_scalar_mult(ephemeral_key, basepoint_9) → ephemeral public key
8.  x25519_scalar_mult(ephemeral_key, master_pubkey) → shared secret
9.  Intermittent encryption:
    - Files <= 2 GB: encrypt entirely
    - Files > 2 GB: encrypt 1/5 of file (sparse blocks)
10. Read in 1 MB (0x100000) chunks → ChaCha20 XOR → write back (in-place)
11. Write footer:
    - "payload" marker (7 bytes)
    - RC4-encrypted metadata (56 bytes: ephemeral pubkey + nonce)
12. Rename file with .payload extension
13. UnlockFileEx → NtClose
14. Wipe key material from stack

Crypto Primitives

Key Material

ChaCha20 Identification

Confirmed by quarter-round rotation constants at 0x401A91: - ROL 16, ROL 12, ROL 8, ROL 7 → ChaCha20 (Salsa20 uses 7, 9, 13, 18) - 10 double-rounds (20 rounds total) - 64-byte output blocks - "expand 32-byte k" sigma constant

Encryption Strategy

• Threshold: Files > 2 GB get intermittent encryption (1/5 of file)
• Block size: 1 MB read/write chunks
• Footer: 7-byte marker "payload" + 56-byte RC4-encrypted session data
• Extension: .payload
• In-place: file content overwritten, no temp files

File Metadata Footer (63 bytes)

[original file data (partially encrypted)]
["payload" marker — 7 bytes]
[RC4-encrypted metadata — 56 bytes: ephemeral X25519 public key (32B) + nonce (12B) + padding (12B)]

6. File Targeting

Directory Exclusion List (18 directories)

File Exclusion List (27 filenames)

autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db, ntuser.dat.log1, ntuser.dat.log2, pagefile.sys, hiberfil.sys, swapfile.sys, recovery.ini, boot.sdi, setup.ini, config.sys, system.ini, win.ini, ntbootdd.sys, bootstat.dat

Extension Whitelist (55 extensions skipped)

.exe, .dll, .dll.mui, .sys, .drv, .efi, .cpl, .ocx, .ax, .mui, .msc, .bat, .cmd, .ps1, .ps1w, .psm1, .psd1, .vbs, .js, .jse, .wsf, .wsh, .ini, .inf, .reg, .admx, .adml, .xml, .theme, .desktheme, .dat, .log, .log1, .log2, .evtx, .sav, .tmp, .vsidx, .regtrans-ms, .blf, .lnk, .url, .library-ms, .search-ms, .searchconnector-ms, .ttf, .otf, .fon, .fnt, .wim, .vhd, .vhdx, .bcd, .sdi, .boot, .cur, .ani

These are system/script/font/boot files — the ransomware avoids encrypting them to keep the OS bootable.

7. Recovery Inhibition

Shadow Copy Deletion — delete_shadow_copies @ 0x40A158

ShellExecuteW(NULL, "open", "cmd.exe", "/c vssadmin.exe delete shadows /all /quiet", NULL, SW_HIDE);

Uses Wow64DisableWow64FsRedirection before and Wow64RevertWow64FsRedirection after to ensure the 64-bit vssadmin.exe is invoked even from a WoW64 process.

Recycle Bin Emptying

SHEmptyRecycleBinA(NULL, NULL, SHERB_NOCONFIRMATION | SHERB_NOPROGRESSUI | SHERB_NOSOUND);

8. Services Killed (44)

Implementation at kill_services @ 0x40C04D: opens SCManager with full access, iterates service list, enumerates and stops dependent services first, then stops each service with a 30-second timeout.

9. Processes Killed (31)

Implementation at kill_processes @ 0x40C29C: CreateToolhelp32Snapshot → Process32FirstW/NextW → TerminateProcess(pid, 9).

10. Persistence & Evasion

ETW Bypass — patch_etw_functions @ 0x4092D2

Patches 4 ETW functions in ntdll.dll to disable Event Tracing for Windows: - EtwEventWrite - EtwEventWriteFull - EtwEventWriteTransfer - EtwRegister

For each function: 1. GetModuleHandleA("ntdll.dll") → GetProcAddress(func_name) 2. VirtualProtect(PAGE_EXECUTE_READWRITE) 3. Write return stub: - WoW64 (32-bit on 64-bit): 0xC3C3C3C8 (4 bytes) - Native x86: 0x14C2C033 → xor eax, eax; ret 0x14 4. VirtualProtect (restore original protection) 5. FlushInstructionCache

Self-Deletion via ADS Rename — self_delete_via_ads_rename @ 0x405C7A

1. GetModuleFileNameW → own executable path
2. CreateFileW(DELETE|SYNCHRONIZE)
3. SetFileInformationByHandle(FileRenameInfo) → rename to :payload (NTFS Alternate Data Stream)
4. CloseHandle
5. CreateFileW again (now named :payload)
6. SetFileInformationByHandle(FileDispositionInfo, DELETE) → mark for deletion
7. CloseHandle → file is deleted on close

This technique bypasses file locks because the rename happens while the process is still running.

NT Native API Usage — resolve_nt_native_apis @ 0x408D0F

All file I/O is performed via NT native APIs resolved from ntdll.dll at runtime:

This bypasses user-mode API hooks from security products that only hook kernel32/kernelbase.

Mutex

MakeAmericaGreatAgain — prevents multiple instances. The --m flag disables this check.

Background Re-launch

If not started with --background, the ransomware re-launches itself with the --background flag for detached execution, then the parent exits.

Shutdown Priority

SetProcessShutdownParameters(0, 0) — ensures the process is the last to be shut down during system shutdown.

11. CLI Arguments

12. IOCs

Hashes

Network

Files

Mutex

MakeAmericaGreatAgain

Curve25519 Public Key

687f536dd73ea8f71090fc2172568d60569d845d381b3b86b2e4710db28c4645

Distinctive Strings

• "MakeAmericaGreatAgain" (mutex name)
• "expand 32-byte k" (ChaCha20 constant)
• "payload" (file footer marker)
• "FBI" (RC4 key for footer encryption)
• "RECOVER_payload.txt" (note filename)
• "SIZE OF PUBKEY IS LOWER THAN NEED (32)" (pubkey validation)
• "[CPU] AVX2 found" / "[CPU] SSE2 found" (CPU feature logging)
• "[Mutex] locker running.." (instance check)
• "bypass-etw" (CLI flag for ETW patching)

13. MITRE ATT&CK Techniques

14. Comparison: Windows vs ESXi Variant

15. Summary

Payload (Windows) is a sophisticated, MSVC-compiled ransomware targeting Windows workstations and servers. It implements a Curve25519 + ChaCha20 hybrid encryption scheme with IOCP-based multi-threading and three CPU-optimized cipher paths (AVX2, SSE2, scalar). The binary uses NT native APIs for all file operations to bypass user-mode hooks, features ETW patching to blind EDR telemetry, and employs NTFS ADS rename for self-deletion. Recovery is inhibited through shadow copy deletion, recycle bin emptying, and aggressive service/process termination targeting backup, database, and office applications.

The same actor operates both a Windows and ESXi/Linux variant sharing identical infrastructure, encryption architecture (Curve25519 + ChaCha20 + RC4 "FBI"), and ransom note template. The Windows variant is significantly more complex (385 KB vs 39 KB, 2329 vs 180 functions) with additional evasion and anti-forensic capabilities.