Overview

overview

10

Static

static

3

xxx.exe

windows7-x64

10

xxx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxx.exe

  • Size

    501KB

  • MD5

    1f50fa0d0f6c295a5db3568e9f0684c2

  • SHA1

    6219bd0d064c0fffa91166c498d937cf066ec05e

  • SHA256

    9c7e55441fa5a460320dce5005358d820aec2386982fb3d77d52ce89b3d59744

  • SHA512

    ceb5ca6b0e77ee6ce205b82cf44a5e1976b3e29b97af00933846422781e90e0be7d55f0eb77f19011707b48c64085ea3eb45abc45dacf1062ae426e3bfda59c9

  • SSDEEP

    6144:NouXuOPQveEDZQdgepQD0QYa5N2uAAHIbzAW1+SM/V+z8HD7SN:iiAmE2VQpfwbzd9P8j7SN

Score
10/10
playransomwarespywarestealer

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

    ransomwareplay
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini
    Filesize

    1KB

    MD5

    37196d593d32a3b588fb483c87b1300a

    SHA1

    af91e036504204abf7d6c54d6a4da35daf625c96

    SHA256

    909bcec257e4add3bab5ae34cb73011dd1669474d6f5e16b0458bbd96e15e97a

    SHA512

    df8fffbc459070c76d7a0f32507f7121e451e14a88b878115f2361167bd095a59698abbf21fa35b980cbcf0dbe6eaa6fcdcd858010236082cc24ebf69058d26d

    Download Submit
  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY
    Filesize

    135.1MB

    MD5

    e92d6bd627bc0a6ca99ef796e4e53352

    SHA1

    4cf602c4253d22e36abefe7e1355b1c8170b21b2

    SHA256

    7841e0edffbc9dcbb63ca76d32270b6ccbeff1eedafd43e444f080e4f4eda483

    SHA512

    345a3a9fb1f6220d7b9969f39770e89f23a9f2624171cc2586d7f77e166fecb257813cc862635617fadf7045961c62cb3ecf819b043f239e2e37e15871d6590a

    Download Submit
  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY
    Filesize

    124.6MB

    MD5

    7f3f6a044d257c83437f6dbb45fb780b

    SHA1

    4bb28e7f58002268cbf469cbf077ee1888caf3b2

    SHA256

    bb8f44454b20cf7f2afe0297fc2976672113c615c23de379342b9286de70ac56

    SHA512

    f37ec68f6b6548689b665be64e38496766a59918847804104ee60b4159444e2c58b761c947a4267f7a58988633cdf8b69a53b8aa10f9e4589f07e89086440234

    Download Submit
  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY
    Filesize

    1KB

    MD5

    674df863481a8bcfa8855701f1e51172

    SHA1

    2fb962f43c901eff82886ba2eca9965010ce9d0c

    SHA256

    477340a6e1148bab9935cb99071c206fb1f3db7ea6ec85b872131a0f29271146

    SHA512

    eca3e66a5c30450be114e485338df840fea770aa014b4350514d21a58e129497ca9ccb94df3b4599c1e27860787fef2b365f02a4034bb53c58887998a3640252

    Download Submit
  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY
    Filesize

    1KB

    MD5

    5d53c80980e725a8d5a4877519fe161d

    SHA1

    02c64bcbf514bc7e8a5d03f2dd6ef43f0baf34e3

    SHA256

    5bcde0536e9ddd4e07cd6f09e5f6da4d2d76be2d8d1189589150b6a677ab0f24

    SHA512

    7c7c91c42945384ad5d99b92a0290f3f94dfd0ba3cbf21086439cae2e3e7cb4e6d4f1693b4dbc4016589fa8386c232650cdb8a42f9f35430c5718c0fc96ef85b

    Download Submit
  • C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY
    Filesize

    1KB

    MD5

    23e335f3c3740dac683d2f73a8bbd55c

    SHA1

    51165da6b3ba78da6a0de40e395a18834f32cb6e

    SHA256

    440fcec71aeb152aebf173742db8b9c5cbf87469f303b8fcb116879d372c4fb2

    SHA512

    4e0de159bc04026cc47aa6f371311249ff70b0fcc9a154d1a43f0ef35fde8b2ffc2628fc761d8f93ec5938b99d38cac65f014767e1dd3b8f1372d7ac5c96d46d

    Download Submit
  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
    Filesize

    1KB

    MD5

    faa1bdd4a0d5029bfd4ae0edc65c40cb

    SHA1

    88968234db1926c74c7faaaf0307c17bd372d174

    SHA256

    76decabd0f7d93c40839ef80cb7a29d0879728de3c6fc3bae394545e713c0ad2

    SHA512

    112f9a147aaeb40fdbf0c20b53148c27804f7e30e75bc16b9a3708a5d9f7e86dfc8d6ea15fdc150d4ce2d1230a5e8237981b5bdf1a67e23aba8496b17eafe5c2

    Download Submit
  • C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY
    Filesize

    78.7MB

    MD5

    256f267d4fcf4790ef8e8dfb2bbc126b

    SHA1

    9c42e1f62df314a8a32d3e15f2eca766de0aba29

    SHA256

    9a1766d22e0677a6e6bd3bc78868ee8ad29cbffcf247fa4275864cfbaa7b0d47

    SHA512

    4b87666d26274596a4950897896d8bfb8a8f117caeb7a3285d26cb1e2ab854caf38ae7a8145d8f84431c075b2da42bfa28a38512af686d5f48730075813e642d

    Download Submit
  • C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY
    Filesize

    1KB

    MD5

    930f3e560725aff32fec8379d12e362c

    SHA1

    1283d9885d4dae6fb81ac785c6172b19d0c6e72b

    SHA256

    af1604e61b79687d771833bcde231eb73edba17228e3ccf941b6aa6147b652ba

    SHA512

    b23a2ac278c0dbdf9f0600fa867fe7ef4415027fe6248037d14d85b896f11b203e54dc5a11d7399ca2490acd7c81bcea5bfea42d26bba1b23ccb1c74a941037a

    Download Submit
  • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    c34c7431ee2b2f40c767c1c5012bbd04

    SHA1

    a6f8c39736ccb0f1e8e6201d479632abaf62c996

    SHA256

    5507113c593f1658e10203c36ee52613a5d5e5786ff63b7f6bd1923679255dab

    SHA512

    d5b99013d27a50306a572a9b239c148af2b6348abae637c1a4fb2b0648d09140492dfdee750058abd876929500868fef31730c8ac1b4a1498b5ba56483ddbf26

    Download Submit
  • C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
    Filesize

    5.5MB

    MD5

    28a03968821ab3115684bf2f0882aa17

    SHA1

    e202a7aa1a81d0c4026f3594fa825d2a4318ba85

    SHA256

    0344ef9eff9cae7a37f55ac6b50a3a897dc8b2a9820bc033e44f5e85b10978c9

    SHA512

    e2a54e413c6df472dcb74b281a998829c46d45c43c3896e10c9f9285837120af8adbce51b5c46c7c31fb98a13e0ac380f896e1abb152b2e7eceaa60c3e046b6f

    Download Submit
  • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    f6acd285ef3a43a2c5d11861ca7cda0d

    SHA1

    ddee32c4387435a1f4603e498e8746120dfd3f87

    SHA256

    bd9c789e359d4fd1f19a990bdd0dd329df32e3b242f6364ee6176ac5b51b2f8d

    SHA512

    81cd27af94699fe907220ea8377ac630a6b3850c1c0b501bb96657222a6125f782f576e1f4cf24270bc3455e472eb2fd593ffebdcfc5345bc884f4c79030e099

    Download Submit
  • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
    Filesize

    5.3MB

    MD5

    cff791d49c80c326723700e40229c3f7

    SHA1

    8ff670aab35bc7aebdc918ed72ff87a1d6058d7b

    SHA256

    2e542a681ed24493f609b689015432556d0f43c39747d1ea654e17e19000e7aa

    SHA512

    07c277b83f986488971b9adf448ff58119c32e478d8fe4cc01fd6800970c8be2d8ff9b29e86517c45701f13043641caae41340cf4f43179db8623cdbe4803795

    Download Submit
  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    f072c4481191db5ff1b4316a53cbf186

    SHA1

    8dfac6a530b7c37849628fd8296b650c9e1e7720

    SHA256

    edaad518d0b114c82fd3b7aecf7830f1667e63e2884d67a01697f2b4802451b5

    SHA512

    1bf251d1d96fae185dfe43e3328f4e52fa0502cc41e7587e9e450b7f640e96d5ed7b05c7c2db3883b3dc10f7865ac207e40ddf53cb3971a39a6e8690b8fdbced

    Download Submit
  • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    8387cc43843a50b36e1aa309a6445d8d

    SHA1

    6b241a6f38e268ead64b10d949182e13d95daccb

    SHA256

    8ee3a9322962fba786baef739cce36faebd7faf0df288420ff1b16b3dc6d6941

    SHA512

    d25ac2635068b74155ffa1dca1cee8f2700a550dd4dd03415e7cbe10b277544ee28b535794f88c98c4668087d5996d91be173f530acf9898c0438d66db0a2f3a

    Download Submit
  • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
    Filesize

    870KB

    MD5

    364d7c659dc044522bd0f40965aceed6

    SHA1

    11508a1f1bf12f88d8bc4d1837fb1e19037143d8

    SHA256

    34e258d71a0ca452f40622ad4276c8942d1ba525d63ed38f4a3b7c74a9a51f7d

    SHA512

    05120f61de9b1ce6a9e3737ab1ffef2383bd12c62e6fc558059a55bd8eb391fbc21c2d77dd4252ce786caf3d61e4421fa0e12d99e747d3d940d978fe3242b99d

    Download Submit
  • C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
    Filesize

    5.4MB

    MD5

    39d1146f6abd9101b607eaa44b53c7a0

    SHA1

    69a586f9527530fe6593be1c7cc05bf2b947aa0b

    SHA256

    f63ee20c4e1a7007bc81af08e40118666741eddb5c632aaf28812aac5ed931c9

    SHA512

    897ece5a18413308add17fbe857635d979b7bfa21b9fd4f00a7d38a8d7cc7068c1ebd0c5fcc065ea5d853dd5eae2a80a3b4af870d467aa874944b53c2b60623f

    Download Submit
  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
    Filesize

    4.7MB

    MD5

    c86c332e2390c77943c74bbfb96e11e1

    SHA1

    d95707ee8ee525b8ad32c19f4fb616ef46880851

    SHA256

    5fd8409b60558e8800b6e637d458f606ff1881dcbd7393ce2acd0604b51f3e17

    SHA512

    2247460c9b9c26e92502c35c81a7e515d2f31e2ff10d4d0b4bd15622754c5febe0c4727677f201c9d74568a01fb0b155c4d328b03d027eb2a774120ced625efb

    Download Submit
  • C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
    Filesize

    4.9MB

    MD5

    14672b17bb0bf7df8fd59c8bab652ccc

    SHA1

    70b382a448c269ea0c67aec69ca91f921a23802c

    SHA256

    c2fd4e075abf728f456d3d35912f3c1558d800e3d5fdea68531481704160fc28

    SHA512

    312293df168f3a4517a66d5564e4925be7c0e7b99e4c9c122816dee4c44de1f6381c26a1a474d41d937a2c307333a080a526db833ea199e15102ef2d08f23455

    Download Submit
  • C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
    Filesize

    803KB

    MD5

    7a6aa3879563765500e82dffe95fdc8d

    SHA1

    abe346ca4ef1a27912f7015a9a28f1eca5dd5ffb

    SHA256

    55acdd647cd9b11077cf9e85d632bb4b2afc2817c54ba976f0e6345222ebae7a

    SHA512

    ea7173653c5ced404f707c941e062fc065bcc4121229cff60e316d68d73f60fa459f440f6d82956bfdd6ad22cb44d27d6c5af3018c47451f0ffedd356b97d02f

    Download Submit
  • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
    Filesize

    4.9MB

    MD5

    e4cb9103350558dd244bfa88648c72a3

    SHA1

    d30d40012f8feb5a080996021b794c4be6c9c475

    SHA256

    ffc6fff0e51c372304870e98000b1b8d5f65c3d96403b5e43a40b2fc37d62000

    SHA512

    d34b02e730f5ba243854761d4136114ab032bb18b8f732e5e2683b743d31bb6260028881e535c95b21b6e73f8c87d07e2716e1ca8cdefabbf895962a3692006f

    Download Submit
  • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
    Filesize

    1011KB

    MD5

    d2668061784900d0dc08718ce64633e4

    SHA1

    d80bf6c706be495f9c9a8840a8ce347434cb22d1

    SHA256

    d05129559d257bf1dd9dd881e1f3853aa4d088bede177a316bb0b7e693de23f8

    SHA512

    3f66a3d0bf3f1fd8cf8a53d656f36889df9fcb6d7bb9ff7ca2e9c87b382c0dd46d24d952b68542ef0a9418594fd0f41aa84227041acdfbbb9eceb067e901ea56

    Download Submit
  • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
    Filesize

    791KB

    MD5

    fee4cc0e2b0bdfd64defdb2a3cd81f7f

    SHA1

    a1db77c5c508b74714903e1bee5f48c53fde7176

    SHA256

    da413dd037aaa0e266286c2ae784cade9f534bf10f48440101b16346f5dd5b2c

    SHA512

    be2786f0c09ef363e63407ae4a2474039f10a7b60967706522dbed1f8d8c92c468c0f60fa015a4649731727ea79f77a2332f7a77f17637148cca5b552743741b

    Download Submit
  • C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
    Filesize

    974KB

    MD5

    82327df4442b0b6ab939b4498ba754a0

    SHA1

    f816e35130d51cb0cec123233aaaaa1aac7fe68c

    SHA256

    c01dde3c67c80b961948e1dfa85dd9707e112437d67f7d9bb3d1ad57932ee3ba

    SHA512

    19b02ade04e45f3f207edcb5043cc6991aa2a1768786e5d9bbd3bd831d19c97a4a18197f967bed2ac5b2a30aa881baa9b3360298626677015616e8a487868cd8

    Download Submit
  • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
    Filesize

    742KB

    MD5

    9b84418e3e1803b4713ce515c44eacf8

    SHA1

    ba4066acf1f868b14db0f45fb1b7c3a9fc417e54

    SHA256

    5a9b2baf7d5fe315da7885990efbb667806b84ba2461fff25f6352a7dfebd4d7

    SHA512

    92e25583364cef700f68d24de45701ea13270da15b240154707dd5f6ea154aca874532c10c33b236881c1db22e48ee049ad58f8ab443bbb6b425abef5393b912

    Download Submit
  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    7dc85fa1af3a9f0aa5fca3880a4e3cd8

    SHA1

    1a940777016461494bce7f578c8378a64c3faccd

    SHA256

    6857eb01384fe53cb3836f1f37b750f7cf6f7946f57925f273ad7c98dee3b457

    SHA512

    03bae190a24c458cd44567eb4870586370d91b798e131e0502012087425b64a9147c4150dc29b1993ee97a60dca517df1c420c3ff902863969037362fcc4b5d5

    Download Submit
  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
    Filesize

    1KB

    MD5

    db6ba5e600c5749db89108b82be9b1d2

    SHA1

    4bd8df7221d17208eff2dd25d6f8883fae64a0dc

    SHA256

    c90e3d3c32babda42d040020ce4233268df389b77325ca2d4405f0438f127d97

    SHA512

    26e1ed688e43be35b8f3c4effaa07791e7ffc82afd7b4b5be667deaf14d05fbcf8c864d82ea8bb95bb52f3ffce7fbf750d6529011b2a7b6aced48674fbaeee6b

    Download Submit
  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY
    Filesize

    2KB

    MD5

    22fa084e98f1c5b85de95eb9b47e9b85

    SHA1

    6197bd4ae03d3c0a4ccf3cc0e6ec5c8992f16e27

    SHA256

    507621c347f803f1890d00fac7ded888563c76d48b2a4bc2dee68a4e732b7826

    SHA512

    17a4de6b21a98ff2a7247410d07fadad8da8af31f7d75d04144c40302a37bbec735cbe11fcf5233e53e9aec25e756f72eab67c4c967a9d7c89c00f6db522cf93

    Download Submit
  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY
    Filesize

    2KB

    MD5

    64ffbf59e301db64a1580911f6de5079

    SHA1

    954a27d34ad37d751ba9eb4437c6cc0dc94f9c04

    SHA256

    3283b9a7992a732d08899885ffa8a23d1db600e0f0b753e49a5172953e6ff0c5

    SHA512

    1747484071cf3f050a5d96e4c280ca17d5bee021ba640b3f99b379494a97e20b04d817138946945df7998e4842e8f837d2e4f7a01563c36381f068d3237101f0

    Download Submit
  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY
    Filesize

    2KB

    MD5

    03f5d22f0e8c32db1900be2d552e3019

    SHA1

    f52384f825caa054a525ddb90baef7eba7224399

    SHA256

    974e937cabf767675059b10f55a30f02a19e12d81623d07e3ec6baaa24ae4b71

    SHA512

    6a2bef93c733e2947c60b9450d7dd480633b65a71ca42555e73358fa558d4c7b6946d968a261b5dde58ca68c1bf021ac5965ad35779ad97cba4883b916c5c076

    Download Submit
  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY
    Filesize

    2KB

    MD5

    159029d29ae9e4739ae8839162a818ff

    SHA1

    36bef3fe7015a94b64d6cd87e6fed44862712778

    SHA256

    2aec9d1df2d2c53f849f07b2504a75abd3a2ffed1d11c10754b9b9776131aa11

    SHA512

    da356ba6e92c5921f5fbacfdf61ec1185baf019e3893f3c561f468491d6588707276b7474f4b0d7a43c92cf5a3548345b6a7030bf126226a0cc9c113c2785bf9

    Download Submit
  • memory/2604-133-0x0000000002A40000-0x0000000002A6C000-memory.dmp
    Filesize

    176KB

    Download