Analysis
-
max time kernel
633s -
max time network
557s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 14:25
Static task
static1
Behavioral task
behavioral1
Sample
ccv.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ccv.exe
Resource
win10v2004-20220812-en
General
-
Target
ccv.exe
-
Size
224KB
-
MD5
d9b46196ec37fbc6acc3bd81442311bf
-
SHA1
4ad109947b469ebe71f0f73c2acadcb4ba84be43
-
SHA256
7bbfff4ecb5beaf20c8204be267776270daefb6eb0197c76649182350772162c
-
SHA512
3cca8a67a301132b31ad79ffe225d678a9d1837b02a845813a1feb621d3bb5bbe64f9ec4d99345df314450c575858291e49db5f2de73dcf2064167f45d338659
-
SSDEEP
6144:+pSnrXZU82f3e0UbqwOR0ORGIQf5EtoKs:hrpUFfXUmwqQZ5EtoN
Malware Config
Signatures
-
PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ccv.exedescription ioc process File renamed C:\Users\Admin\Pictures\HideOut.raw => C:\Users\Admin\Pictures\HideOut.raw.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\ConvertSave.tif.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\RenameStep.tif.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\StartSubmit.png.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\UpdatePublish.png.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\ConvertSave.tif => C:\Users\Admin\Pictures\ConvertSave.tif.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\TraceRevoke.png => C:\Users\Admin\Pictures\TraceRevoke.png.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\RedoBackup.crw => C:\Users\Admin\Pictures\RedoBackup.crw.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\AddPublish.tiff => C:\Users\Admin\Pictures\AddPublish.tiff.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\UpdatePublish.png => C:\Users\Admin\Pictures\UpdatePublish.png.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\StartSubmit.png => C:\Users\Admin\Pictures\StartSubmit.png.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\AddPublish.tiff.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\RedoBackup.crw.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\TraceRevoke.png.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\AddPublish.tiff ccv.exe File renamed C:\Users\Admin\Pictures\RenameStep.tif => C:\Users\Admin\Pictures\RenameStep.tif.PLAY ccv.exe File renamed C:\Users\Admin\Pictures\RepairImport.raw => C:\Users\Admin\Pictures\RepairImport.raw.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\HideOut.raw.PLAY ccv.exe File opened for modification C:\Users\Admin\Pictures\RepairImport.raw.PLAY ccv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 29 IoCs
Processes:
ccv.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ccv.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ccv.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ccv.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Links\desktop.ini ccv.exe File opened for modification C:\Users\Public\Videos\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ccv.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ccv.exe File opened for modification C:\Users\Public\Documents\desktop.ini ccv.exe File opened for modification C:\Users\Public\Music\desktop.ini ccv.exe File opened for modification C:\Program Files (x86)\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Music\desktop.ini ccv.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ccv.exe File opened for modification C:\Program Files\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ccv.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ccv.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ccv.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ccv.exe File opened for modification C:\Users\Public\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ccv.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ccv.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ccv.exedescription ioc process File opened (read-only) \??\S: ccv.exe File opened (read-only) \??\V: ccv.exe File opened (read-only) \??\Z: ccv.exe File opened (read-only) \??\H: ccv.exe File opened (read-only) \??\M: ccv.exe File opened (read-only) \??\G: ccv.exe File opened (read-only) \??\J: ccv.exe File opened (read-only) \??\P: ccv.exe File opened (read-only) \??\R: ccv.exe File opened (read-only) \??\W: ccv.exe File opened (read-only) \??\X: ccv.exe File opened (read-only) \??\E: ccv.exe File opened (read-only) \??\F: ccv.exe File opened (read-only) \??\L: ccv.exe File opened (read-only) \??\N: ccv.exe File opened (read-only) \??\O: ccv.exe File opened (read-only) \??\Y: ccv.exe File opened (read-only) \??\A: ccv.exe File opened (read-only) \??\B: ccv.exe File opened (read-only) \??\Q: ccv.exe File opened (read-only) \??\T: ccv.exe File opened (read-only) \??\U: ccv.exe File opened (read-only) \??\I: ccv.exe File opened (read-only) \??\K: ccv.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ccv.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png ccv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.PLAY ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg.PLAY ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-lightunplated.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-24.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.PLAY ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.PLAY ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js.PLAY ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256_altform-unplated.png ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-400.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\photo-shim.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.PLAY ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx ccv.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml ccv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png ccv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-400.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-200.png ccv.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1 ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.PLAY ccv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-white.png ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js ccv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.PLAY ccv.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\Welcome.html.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF ccv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-125.png ccv.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 ccv.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml ccv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL.PLAY ccv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Medium.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-30_altform-lightunplated.png ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Login.m4a ccv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL ccv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2017-03.gif ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-disabled_32.svg.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL ccv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\WebBlendsControl.xaml ccv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\office.odf ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg ccv.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.PLAY ccv.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG.PLAY ccv.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE.PLAY ccv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL ccv.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.iniFilesize
1KB
MD58504b945afc27ad62230d54e2e13237d
SHA1935900b06b38378d1df64be12dfa64156fc45832
SHA2566682ac29efb3387ff5ebebe90576555ee80412ea325621bd676a242f786c9e67
SHA512d13a19595de039ec1e70ef8c4c518edd78d542126fc4a67abdb958f7d5c16a854de8d6275005149101300ee79183f0ae67a20becb5661f8a58219f4f2b985e0a
-
memory/2416-132-0x0000000002140000-0x000000000216C000-memory.dmpFilesize
176KB