play | dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a

General

Target

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
Size

110KB
MD5

04910458c6338cd58027336c5a3e0f26
SHA1

4948cc434de62b14c6a92fb8d15f6355199dd7f2
SHA256

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a
SHA512

845b63c7314013d7915b9d3a23bb433ea8f9f5df1331c010a5eecef2b8048cfd74b8eb1941a9792030e3d6958dee87b2fc1c792db61eab72749f9d41ac6cef18
SSDEEP

3072:WQARDoo8GKdimusNmZOGo0Y0O6E/y1G+GO8jr9+vUAyGLhsj:QuNShoGO5+ci7I

Score

10^/10

play ransomware

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play

Drops desktop.ini file(s) 2 IoCs

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2548970870-3691742953-3895070203-1000\desktop.ini	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened (read-only)	\??\L:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\G:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\H:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\I:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\K:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\P:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Q:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\W:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\A:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Z:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\Y:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\F:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\N:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\S:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\T:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\U:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\X:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\B:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\J:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\M:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\O:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\R:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\V:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened (read-only)	\??\E:	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

Drops file in Program Files directory 64 IoCs

Processes:

dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms	dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe

C:\Users\Admin\AppData\Local\Temp\dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe
"C:\Users\Admin\AppData\Local\Temp\dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2548970870-3691742953-3895070203-1000\desktop.ini
Filesize
1KB

MD5
a38916fa4c40cdab77c59d16ffa3bf39

SHA1
f1416e54b6ef684955d548b1ff597058a024ec83

SHA256
eb0ce7228a4e3de3c095defc0b9b31bef239a5bda04b343bceecc3eea3f805af

SHA512
0be51d8261fefbd93e2f0cbc976196e57a1cefdc73eb2f07f0d7e85a1cb754a0639cadeefa9d7783db294f2bbe19cbec51bb210eb5303d03a309b918c6c2c064

Download Submit
memory/4164-133-0x0000000002BF0000-0x0000000002C1C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads