Resubmissions

28-06-2023 12:38

230628-pt6vxsad8w 10

28-06-2023 08:00

230628-jv4t3agg34 10

Analysis

  • max time kernel
    1800s
  • max time network
    1593s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-06-2023 12:38

General

  • Target

    006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

  • Size

    178KB

  • MD5

    223eff1610b432a1f1aa06c60bd7b9a6

  • SHA1

    14177730443c65aefeeda3162b324fdedf9cf9e0

  • SHA256

    006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

  • SHA512

    cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36

  • SSDEEP

    3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

  • Renames multiple (8039) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 30 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
    "C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:3840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1989575376-3257970224-3313857678-1000\desktop.ini

    Filesize

    1KB

    MD5

    e8ed20ad22d67238319455e6cfd2b9aa

    SHA1

    db810ea98bd6f719e0ee11949ff59d5e7e8240db

    SHA256

    791131d2dc336fae6c700db9127885152bfbf70d98ed6924f536d255f3175910

    SHA512

    4e40593bc3c0d3e860fddd91e57ecd50f2b754df125393e41426a8d2b436c17db3f64fa8f7f3c12baa204c33651515e8bf417285ec882ec000e388e0456acf59

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

    Filesize

    167.0MB

    MD5

    aec51a1dbd19b5de7f48f6a6232ca894

    SHA1

    516f1ee3a4de7eae68488a7c84be1b7056985f8d

    SHA256

    c10dbf966f0fb00da76a9c9fffc7e62fa8894905e3f4821a2611b4cbdce57f95

    SHA512

    4e73d61c8508e71651ec2587377aca01ba5ff2b5b52b7065d3acd18d8e26dbef26fb3bf59a2eb9fde5e2141eeaa0e8f7fdaa61b4de7b7d1f9ffd74683faa9c00

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

    Filesize

    1KB

    MD5

    9f2e3fccfa9b8d201cb847a60f9a2a8a

    SHA1

    2893959e04d0f1589a16fcec1a7b2deb30b501a2

    SHA256

    002132a1486857aaae364d646f52c7c0d0b49eeb8df9e95dd5de16d4a06a3b10

    SHA512

    0727fa5244be2f40657523dee2fca5bd6e07d8a50e6a50201ab704c272b8c6fdbb01212f1e444ae2ade67cf6a1e595fcc28f40da5ec69dda7297f3777432fb14

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

    Filesize

    1KB

    MD5

    d2d20957825a7ec38f494f51d8803852

    SHA1

    238f3170f5c51a29255de48feed1f2602e8d4b0c

    SHA256

    d4ed5ad8ba6e154f498e2a2fa4279c144230624f19f9a29adba0e5b63af42f54

    SHA512

    ee33aff742bee426654a913304a096a895b928f1175cdf433606fe11784f2931bb37901b60e4305a47d3e5fce389c8588b88815970677c330b59db77a74fc636

  • C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

    Filesize

    1KB

    MD5

    cbaae3ee8bc840b91d9478359cc91539

    SHA1

    0336b09a5685f7fd4c855c0f1efcbf8b4de170c3

    SHA256

    b81fe3478e3ddbff16da33b8e7e8f1f4b18b601c40ed1d25d89b3133bbecd966

    SHA512

    47481ea41ff2c860c6e8347a17b28b6519c3cbeff562fcfa964fd516d0a2b8daea60e160c4188b31c67d399ef99486b90118116c1e67f9663a27b6c1b2feb5b1

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

    Filesize

    1KB

    MD5

    1395dc7e5bd27e9b1f88ffc16fa5ed30

    SHA1

    6e5f80e1c88df09644f8a2bf2de978cb222a37da

    SHA256

    afd2fbbcbb5f074e307fe47b99ba7b1f864ee9db0a0fadb20cda9c0b840e49ff

    SHA512

    500eae2a0dce7a13e31adf073e7adf4adce9c9846175ebe58bc619ebcc2d637f078d0dadb84e93498f15680fd947eac46c3fb1b007a562c59043b76fc3a1fa3a

  • C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

    Filesize

    78.7MB

    MD5

    82ad97d9d10f04db4567e9ed6a097b0c

    SHA1

    2251b19901bf5559e5445a4c7b7f3292a882f928

    SHA256

    ab7fbc43aa8370fd778d5525fa68d95c949b0e60aca1c2f3ca08d10427900450

    SHA512

    89f688795b1aecc383cbfe511aba5c5e9311afef5e4d852ab87afa7a9a357995b8ff65e1d14b832efb42802b709a789e80439b6c0fd5a040a7041b839561226e

  • C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

    Filesize

    1KB

    MD5

    02961f79ee185375c7b9991c4f1e2758

    SHA1

    5a5959cc120713019c7bd0e51cfba2fa6f43c0bf

    SHA256

    fc515d8e7e203ccf9d6952bcd48e09fc9f41387d24373e8b2f811cd9c94ec06d

    SHA512

    c016148d3fe1cd9bb22973420ee37093aff00e5dd728269e69873401e277a2171058e80ea24db8fe99593fec4ec2f27a04194752ac582ec58334e878271e14f5

  • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    f78d07a8a872410b5285d982e478c7de

    SHA1

    f0249f3e6e141d5b80968975fe5178542a8193ac

    SHA256

    5547c8dd716d27ffea881f311034eafb119900f4a1f59088edd70bcda419f8c4

    SHA512

    9bf6895b5d28466c57c77c2abd7b07fc9304bbb8cb387b847be733af5db491a884d91cfe09118d8ef580c24d2a4e8dc0fb6616bf6844d3769b4e77f664987cee

  • C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.5MB

    MD5

    b39675b1aa46469cb43a54a73569a6ad

    SHA1

    d438f6695e04f3a6bc639c180d5892bd8ec629f2

    SHA256

    664a133e4614d3a537a0dc5311e18bc7f13d8f54e6610427a7d7d9dd9c2060d6

    SHA512

    fb6239c5b69612f2f868c4560d8b614f8cdad2766cb5915e0c02468c820b1edc927794a33cc7383c4c252f23cd799f4b9a2f557aac6108231a8e71cc64cdab7d

  • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    64e58237fa46a9f979731f6a246397e4

    SHA1

    cff27f53f9a408b708e074584c8d03d72d05ba50

    SHA256

    a35d23c130c9f65be635859c2b06b6d5f49c3f3ee60aad5cd45b5bd326d867bb

    SHA512

    957f873b3bec8451c66e0ee472b5519f1ed21a094edcf06c77dd38fa33f2cd3eb9977c48fdc635536959793f781f21d8bbc333199aa3967ffe461fc0dfbf2dd8

  • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.3MB

    MD5

    da7d10697df6714618f1a5cb30eb3e80

    SHA1

    d36e8a9f729cedaf2ddc6def58c14a3b2a030098

    SHA256

    160f86a268de991405e4c1b0ebdaf8b646b4a664a3bf567f09daa4605755e3b8

    SHA512

    11ff7af59206af8c4d7f7184b7d6636a04e87f44f330c7fec511fac9a5c8deea04c049f4c5d32f6bf4211c0567e0522971054db9a591313d1362c125c3e9f939

  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    56c3c51e76cd5b680b0d1ae275f6a023

    SHA1

    c72e7dbf9860c8b37ef8d7801b8dbd7210521bb1

    SHA256

    c4c785cec2ff173a297f650adfd1f406483ad5cefb03fc31bd125c3727865a8c

    SHA512

    2d6af88aff0758a992000cf2082947ac82dc8040fc11b8973376794a853b8562cc60af78d0fdf309918208fe991ef800361aed9b2cbd51bb48daddf0ff733e6d

  • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    9c3af160187838c820a31eb8878f4895

    SHA1

    8ca1b4a7a76c1f606610adfc0739a517e249241e

    SHA256

    46f5d59be9049aaac7c1c8c83152fcac47f812415c70576ef4f30bbf9e65cb17

    SHA512

    ff8bbf04b201faab0ba034f55daf4c186c05c57d43657d5683fd6db62422a37aeda90f1151dbd20f300a3c2b1ecffa1035c6197a674e0f7711b1e173ab490435

  • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    870KB

    MD5

    9c3d658d6ff1d08c8297a4809c496eb5

    SHA1

    71e22b23bdb259b6fcc8bea0fda5476496192ec9

    SHA256

    d936d81f50b033981379ccf3a26c8adb67911d674b49db37594247486b604cac

    SHA512

    4e3cedc7575c978cc279cb0f14592961fc5487b5c61c8febe696fd7b30925d632d7a0a5e5da9e71c953c89813c2d928c089c1ed3c0e8a0df5bea703e26859ae8

  • C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.4MB

    MD5

    6bcd875ff211a5376801ec191e5e2f27

    SHA1

    3b61996fff4650f747f003e1738c5e92f87a1049

    SHA256

    c2d0784b2765a849d9c0b28380ffa17e035876e549e35c4c223b2f7119ff0f42

    SHA512

    a8d00b57a4f75fead3fdf6be1c44fc686710404d1d1a9755e6e7ba8ec337eed6927699553eecb31890a44ca2902beaa35bdd34fb66981bcc978c69f0abbc1648

  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.7MB

    MD5

    d83349ef73ca198ea16e97764be55d0a

    SHA1

    deb37b21d7c15232a7dcca9c6c957614db251aae

    SHA256

    9d7ecd7400029b167c5eb9173737d3e762a6fa1be1af63099a3f311905a9cfbc

    SHA512

    d621f644c3c6e7d2c6a717e183ea9ebc6b21aa94f70dba5d4ebe6ab952bd132360a00320d684a4bcba11f2993a641ba0836774f40c93c23871e60620c9a5d209

  • C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.9MB

    MD5

    0a7a384e598f7c59e84ad2353ba530a3

    SHA1

    0ce50cf54411c8c1fe2fc6548027c77767cfadd4

    SHA256

    40d1809ef4b33477a2aa3181b1b2f241a2611aeb62078388bca20016c08e9efe

    SHA512

    208714bfab3478212a3f95ebdfa869437e0474133ad040067d975e24c8ef2e55267be81d69bdfeef10dfae2d0909dc4987c7667a5f29c322e7ebeede2462f583

  • C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    803KB

    MD5

    1fa3d008df383150612415ccbce1ca7b

    SHA1

    e9ef0afaa2121920f5aee548bb7716b9a0de6aeb

    SHA256

    badfa11f325a65b0f88b2b8df3b9c8bc724ea9c1f827a7d84b5eb0ac5ae9ac14

    SHA512

    75a8802276427f5b0afabfc22a8aa0e8eb51cc0221fcf573e67f86c93c48b66eb0ce459841444a579b6e5072d055abe1691a76ae4755145d9326feca70e61808

  • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.9MB

    MD5

    6cf4976586a864a73125034a123d0575

    SHA1

    811a43fc47fd46539a7ff26c2b124b9430046ed9

    SHA256

    cfdc1aa328657bdf16fa9b307860d08ed0e74290fcfde55de78cf0f58a9066a1

    SHA512

    0b93612241b83220939e4fe0b320d77e01e8960f063c3477143bb8053e48a781ebfe629cc3c7a6084e2add3a34b9025c4396bc466fae173388a0bb924113e504

  • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    1011KB

    MD5

    f4e8613813b7a542ab6346aa1091b1dc

    SHA1

    145de5123e8d10870e2078fa0d32fcdf4bc4b447

    SHA256

    d5662f476ecb57531d3a18552a422e04133b8f11b4e308243b1dd7623d2ab085

    SHA512

    df52822747704bf8a4097f8140f32c29e30d8b4c02bdba49b390327b77c20da91b1e966a80f3b99728fd78e575f5e4c511a0da469dcde92c9ebd8d5f150cd10d

  • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    791KB

    MD5

    ef84a1f63510a13c16bc1b60c049c475

    SHA1

    8990b5867cbfbf4836d35bc7096630ef38b75590

    SHA256

    723187e23d190913ac6e1fd040ea1cf4521816245449cd888769da75501f30f4

    SHA512

    0ac66954042601aa739ef09713cda79838caece92617c7dc15ee61f786799d7c49bfe15f6e1381ce7f027a95e42f26b3ff9cde668797760c9524158d0321864a

  • C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    974KB

    MD5

    4366ae2954c1e9bffb93964a35265d19

    SHA1

    48ce8688b8ec3cecc7473b9bf0316ce8d4e3255f

    SHA256

    c3bdf39fed14928a6ccf59b43f032285360b31a12cd5616c5245dbcc682cb850

    SHA512

    f678787b22fead3a5ec5c4474c6791f4c81e5d325bb8b2c1b5251f60d67927e0813cd09083f5c4f111a1a78616d9431971541b83e0563c72c5c5edcc0bddca11

  • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    742KB

    MD5

    5652aab2db0fd9081ec9872b289143a6

    SHA1

    d7ea8ad6879ae7f736844f944dd808eba86a70ae

    SHA256

    769680bd7b9df65341c6e2861d579fcd4b86683cd0346f00297d32c01b80cfbd

    SHA512

    0967871c6daef15e9e3de951a95660cf99e70b699b9f59e761507b1aff0f271493e1140962a5596ebb7136e94289f91ba326b22caa42282aab1319cab826c0a6

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    e7d4277abf39bcea1660c656b2cf2c0a

    SHA1

    9aca543d5bf11f7645044bbdab6d8b240ce71635

    SHA256

    a36ad735618b55de44f04a7c31b0e074de742034ff155162df9c227d13ee3643

    SHA512

    b58814aa3d785a4a4d23c75aa7e93f47b09e04bf2cdc2858c7ffc252f5cb5d21c314a7d4fa2323796ed5149077e368bc8ee00b89c0c5d7889f41007471d9e18c

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    f3cd4da7ae29e6b67fd8325f188ec0b1

    SHA1

    c361edaebb4f3c82f26b06946d8ab3e840308cd3

    SHA256

    26f7522bc4bceae2c90a31f2803bc52b9e08c17aa6a02dc68e98015ce0f270b8

    SHA512

    3893a6ad57ac35504027df8e36762a97516a0cc5fd5b893f3aeed93ed8665b072f33eb289831be6dff4333f0bf4552d520e5a26e424ef2e5c3ba97430352920d

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    8f5f5d88931fb31d47b0cc3a284c0e47

    SHA1

    693464e198f220f4c985bfaa38231beb3b886886

    SHA256

    ccc63dc16274ab18bfb28f2faccb73c770f21b920da7b62dfbf4a2c7a1df77fe

    SHA512

    134782b3b62a2d0d4152bab76c70f416a0683879249999366b171b34d0c2c216f6b599dad794137a18906bdc2d633adc0b4e92de72d68ded7fec3afe41e5e7f2

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    e8d87a9e6ecad6d89ea213d0b3bda34c

    SHA1

    d3f1268d4154b6ae9cd6167db92758e08c247a59

    SHA256

    6c6786a70c166bc8a9b96df3b3b51643667311938011b6cf014ba8df70f2c9ea

    SHA512

    4ab93865c43b86bca3ae355baffe4a83fac9c50a8fbe28e2e10649709e45f594cd7ee2fee5e3536532eaf3265a390d281ca7d32ed40adcfc6b352015a4483629

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    d6f2024f54988325925579716a879a6f

    SHA1

    99d2282af68a441c862abf795f8aea45e5cefa1d

    SHA256

    972e9d1a39c6bc7db8470087ba30fd5b4a077b5f7ee6e6982b03a64600182abf

    SHA512

    4f4b56f7bade7b4523a258acb13786e726cb6bf085f95f8637a90b0e36a2f2684f47277e556b2b2e071f236fef0b6a5e080c6cd303696075549dd3336786ed0a

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

    Filesize

    2KB

    MD5

    5fb38480b11e0fe17bd969092e0bd8f6

    SHA1

    2b5ca96e2244a9c333846f6965119024f9ad32ac

    SHA256

    46c3b6057b075813f237e255111fe2812939a0e9635377966b45be683ab2a51b

    SHA512

    a47ae3833ce759dd55ad70c38e73b870eabea2551acef4141a375e21d17b03547c2de2474df8207a7890ae6c176ec2e5104bf23b068bfd4873ab011b6049a535

  • memory/3840-121-0x0000000000AE0000-0x0000000000B0C000-memory.dmp

    Filesize

    176KB