play | dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a

General

Target

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
Size

110KB
MD5

04910458c6338cd58027336c5a3e0f26
SHA1

4948cc434de62b14c6a92fb8d15f6355199dd7f2
SHA256

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a
SHA512

845b63c7314013d7915b9d3a23bb433ea8f9f5df1331c010a5eecef2b8048cfd74b8eb1941a9792030e3d6958dee87b2fc1c792db61eab72749f9d41ac6cef18
SSDEEP

3072:WQARDoo8GKdimusNmZOGo0Y0O6E/y1G+GO8jr9+vUAyGLhsj:QuNShoGO5+ci7I

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnablePush.tiff	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\EnablePush.tiff => C:\Users\Admin\Pictures\EnablePush.tiff.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\SuspendTest.tif => C:\Users\Admin\Pictures\SuspendTest.tif.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\DebugSelect.raw => C:\Users\Admin\Pictures\DebugSelect.raw.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\UseStop.raw => C:\Users\Admin\Pictures\UseStop.raw.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\ExitSync.crw => C:\Users\Admin\Pictures\ExitSync.crw.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File renamed	C:\Users\Admin\Pictures\SelectReceive.tif => C:\Users\Admin\Pictures\SelectReceive.tif.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 39 IoCs

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened (read-only)	\??\E:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\F:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\K:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\M:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\R:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\N:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\P:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\S:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\B:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\G:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\H:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\J:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\L:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\T:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\U:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\X:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\A:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\O:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Q:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\W:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Y:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\I:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\V:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Z:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

Drops file in Program Files directory 64 IoCs

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis.css.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB9.BDR	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSVCR71.DLL	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXT	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00688_.WMF.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE.PLAY	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

C:\Users\Admin\AppData\Local\Temp\dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
"C:\Users\Admin\AppData\Local\Temp\dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini
Filesize
1KB

MD5
3a61cd05c52f4cd1926b3dae893074bc

SHA1
920372bdedf2587e123f923bbfe9afaa08e710ac

SHA256
b11e670bccf01ef59cd1e550ea7e6ac843acae932c2783850e6900204a739689

SHA512
0bc8fdcedaf5176a04271903401b0d925232391d72ddfc5154496f187132ae0cb077f3162f610195ac50c4490c455a45908e1fe981d6898f95cfdda3331b497b

Download Submit
memory/1704-54-0x0000000000120000-0x000000000014C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads