play | 757524b09e5d4f2399172c4ac0f6996ec34dec90110542973d438d5370aff280

General

Target

SD.exe
Size

501KB
MD5

6ea4b9b0ad0692892f6e4f1b4f05aa72
SHA1

3bb50ceeaa8a698687863dd44e149214d4372601
SHA256

757524b09e5d4f2399172c4ac0f6996ec34dec90110542973d438d5370aff280
SHA512

f5d603cabcf98193eb569d012a1434963a995d508f0580008b6463454bdd1fe02610e3797d2b28ef5f551d6d281a9d5b12efdad9bd6cdb51a796e4c077821e48
SSDEEP

6144:bouXuOPQveEDZSBdapQD0QYa5N2eAAHIbzAW1+SM/VyojODUSN:UiAmEQuQp7wbzd9JojMUSN

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play

Modifies extensions of user files 24 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SD.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tiff	SD.exe
File renamed	C:\Users\Admin\Pictures\ExitSelect.crw => C:\Users\Admin\Pictures\ExitSelect.crw.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\PopSearch.tif => C:\Users\Admin\Pictures\PopSearch.tif.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\AddMove.crw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\HideInitialize.png.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\AddMove.crw => C:\Users\Admin\Pictures\AddMove.crw.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\SplitReset.raw => C:\Users\Admin\Pictures\SplitReset.raw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSelect.crw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\GroupSuspend.crw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\PopSearch.tif.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\SplitReset.raw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\TestStart.crw.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\GroupSuspend.crw => C:\Users\Admin\Pictures\GroupSuspend.crw.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\JoinHide.crw => C:\Users\Admin\Pictures\JoinHide.crw.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\JoinOut.tiff => C:\Users\Admin\Pictures\JoinOut.tiff.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\TestStart.crw => C:\Users\Admin\Pictures\TestStart.crw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterBlock.tiff.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\JoinHide.crw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tiff.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\ExpandInstall.raw => C:\Users\Admin\Pictures\ExpandInstall.raw.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterBlock.tiff	SD.exe
File renamed	C:\Users\Admin\Pictures\RegisterBlock.tiff => C:\Users\Admin\Pictures\RegisterBlock.tiff.PLAY	SD.exe
File renamed	C:\Users\Admin\Pictures\HideInitialize.png => C:\Users\Admin\Pictures\HideInitialize.png.PLAY	SD.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandInstall.raw.PLAY	SD.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 39 IoCs

Processes:

SD.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	SD.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	SD.exe
File opened for modification	C:\Program Files\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	SD.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	SD.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	SD.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	SD.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	SD.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	SD.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SD.exe

description	ioc	process
File opened (read-only)	\??\R:	SD.exe
File opened (read-only)	\??\T:	SD.exe
File opened (read-only)	\??\X:	SD.exe
File opened (read-only)	\??\Y:	SD.exe
File opened (read-only)	\??\E:	SD.exe
File opened (read-only)	\??\L:	SD.exe
File opened (read-only)	\??\O:	SD.exe
File opened (read-only)	\??\S:	SD.exe
File opened (read-only)	\??\Z:	SD.exe
File opened (read-only)	\??\A:	SD.exe
File opened (read-only)	\??\G:	SD.exe
File opened (read-only)	\??\H:	SD.exe
File opened (read-only)	\??\K:	SD.exe
File opened (read-only)	\??\Q:	SD.exe
File opened (read-only)	\??\N:	SD.exe
File opened (read-only)	\??\P:	SD.exe
File opened (read-only)	\??\U:	SD.exe
File opened (read-only)	\??\B:	SD.exe
File opened (read-only)	\??\F:	SD.exe
File opened (read-only)	\??\I:	SD.exe
File opened (read-only)	\??\J:	SD.exe
File opened (read-only)	\??\M:	SD.exe
File opened (read-only)	\??\V:	SD.exe
File opened (read-only)	\??\W:	SD.exe

Drops file in Program Files directory 64 IoCs

Processes:

SD.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF	SD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	SD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	SD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	SD.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui	SD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\THMBNAIL.PNG.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax.PLAY	SD.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt	SD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML.PLAY	SD.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Shorthand.jtp	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151055.WMF.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.PLAY	SD.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	SD.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ALERT.ICO	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF.PLAY	SD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01572_.WMF.PLAY	SD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	SD.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml	SD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF	SD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBTRAP.DLL.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL.PLAY	SD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	SD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	SD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png	SD.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins.PLAY	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx.PLAY	SD.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML	SD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL	SD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00414_.WMF.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.PLAY	SD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css.PLAY	SD.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

30116 NOTEPAD.EXE

pid	process
30116	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	29480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	29480	AUDIODG.EXE
Token: 33	29480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	29480	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\SD.exe
"C:\Users\Admin\AppData\Local\Temp\SD.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:364

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:26012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:29480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:30116

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini
Filesize
1KB

MD5
9df2ccae3593a0be06dcba23b0b4162a

SHA1
095f489c9668ddcde52afe70810305e9544485f1

SHA256
d1fc8b505e987a0bf5f77b3491a11407d74f7b41dd52bcf0c7d0bc55ee9c720f

SHA512
4f693c0698581ae1763b30666bb686a115cf543889033c85d78efdbb62819ca73ee230e10305831ed7367b89bd618f9d8a8fc5b825433f23ec7e465f720872c6

Download Submit
C:\ReadMe.txt
Filesize
189B

MD5
5c6d1613b1284e259f9306368916f86e

SHA1
c166667e416550eeedb5c9fcbd93fa2eb9bd22a4

SHA256
9212f61ce437e9c02848047951bd52f726c725bfcd8f77da26b02ba681781c89

SHA512
a30776f862eada5eb04c1b6d52009479f43b26d7575761307760ed251e3b126e5e9d3022bd4c4d5afe175d705d3be0a237918144265f980dcbd5962ceb6f2477

Download Submit
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-55-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/26012-57-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads