play | 9c7e55441fa5a460320dce5005358d820aec2386982fb3d77d52ce89b3d59744

General

Target

xxx.exe
Size

501KB
MD5

1f50fa0d0f6c295a5db3568e9f0684c2
SHA1

6219bd0d064c0fffa91166c498d937cf066ec05e
SHA256

9c7e55441fa5a460320dce5005358d820aec2386982fb3d77d52ce89b3d59744
SHA512

ceb5ca6b0e77ee6ce205b82cf44a5e1976b3e29b97af00933846422781e90e0be7d55f0eb77f19011707b48c64085ea3eb45abc45dacf1062ae426e3bfda59c9
SSDEEP

6144:NouXuOPQveEDZQdgepQD0QYa5N2uAAHIbzAW1+SM/V+z8HD7SN:iiAmE2VQpfwbzd9P8j7SN

Score

10^/10

play ransomware

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play

Drops desktop.ini file(s) 13 IoCs

Processes:

xxx.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	xxx.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	xxx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	xxx.exe
File opened for modification	C:\Program Files\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	xxx.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	xxx.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	xxx.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	xxx.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

xxx.exe

description	ioc	process
File opened (read-only)	\??\G:	xxx.exe
File opened (read-only)	\??\U:	xxx.exe
File opened (read-only)	\??\J:	xxx.exe
File opened (read-only)	\??\K:	xxx.exe
File opened (read-only)	\??\M:	xxx.exe
File opened (read-only)	\??\B:	xxx.exe
File opened (read-only)	\??\E:	xxx.exe
File opened (read-only)	\??\F:	xxx.exe
File opened (read-only)	\??\H:	xxx.exe
File opened (read-only)	\??\I:	xxx.exe
File opened (read-only)	\??\N:	xxx.exe
File opened (read-only)	\??\Q:	xxx.exe
File opened (read-only)	\??\R:	xxx.exe
File opened (read-only)	\??\Z:	xxx.exe
File opened (read-only)	\??\L:	xxx.exe
File opened (read-only)	\??\O:	xxx.exe
File opened (read-only)	\??\P:	xxx.exe
File opened (read-only)	\??\S:	xxx.exe
File opened (read-only)	\??\X:	xxx.exe
File opened (read-only)	\??\A:	xxx.exe
File opened (read-only)	\??\T:	xxx.exe
File opened (read-only)	\??\V:	xxx.exe
File opened (read-only)	\??\W:	xxx.exe
File opened (read-only)	\??\Y:	xxx.exe

Drops file in Program Files directory 64 IoCs

Processes:

xxx.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	xxx.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	xxx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	xxx.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_F_COL.HXK	xxx.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	xxx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	xxx.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXC	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTL.ICO	xxx.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties	xxx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF	xxx.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule	xxx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297185.WMF	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf	xxx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	xxx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00261_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01746_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	xxx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	xxx.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO	xxx.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui	xxx.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar	xxx.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	xxx.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui	xxx.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105502.WMF	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev	xxx.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR	xxx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	xxx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	xxx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF	xxx.exe

C:\Users\Admin\AppData\Local\Temp\xxx.exe
"C:\Users\Admin\AppData\Local\Temp\xxx.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini
Filesize
1KB

MD5
3f0324e754c3ee3bff9092918cc7eafc

SHA1
754d175125d089f34d083d82de38fd1332e29d27

SHA256
bd03b6bee21f28f8ecaa5dbfabaa43503bb3a18601553320be7fb3a042172b4f

SHA512
7c7c0d6dfae1387f0f642bba66057084123f5f83a2a257248b8f8c35d8da9cac4fab1a7f237492150876a37dd90c9124858cd2a65c1ef12b4dc412dc27723d61

Download Submit
memory/1316-54-0x0000000000170000-0x000000000019C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads