Resubmissions

28-06-2023 12:38

230628-pt6vxsad8w 10

28-06-2023 08:00

230628-jv4t3agg34 10

Analysis

  • max time kernel
    1800s
  • max time network
    1227s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2023 12:38

General

  • Target

    006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

  • Size

    178KB

  • MD5

    223eff1610b432a1f1aa06c60bd7b9a6

  • SHA1

    14177730443c65aefeeda3162b324fdedf9cf9e0

  • SHA256

    006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

  • SHA512

    cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36

  • SSDEEP

    3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

  • Renames multiple (8290) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 21 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
    "C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:4932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini

    Filesize

    1KB

    MD5

    fae3b590943e89bc36e187eab3a23125

    SHA1

    6e4df233b1fa5c64e55cbb985c067f750357397e

    SHA256

    c89fbcca793c8afd4b4e2c4a7bb5e4d0175f42583dc421ae59db594b358396c9

    SHA512

    65cba6795a96222a6eaf75b08656ecc9f63cb2430340f53f9f211c46951d4d12c123b34436fb985d096ccbc8d9c494da8e9e910b6f8a8b2fdd6bdfd4e5e0f0ac

  • C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini

    Filesize

    1KB

    MD5

    dd46628cb2688cd72e468e9038d3dde3

    SHA1

    2516ff17706f88b8865ffb006e072f721bd53efa

    SHA256

    10e54d91770f82f584ee98fbf2aaeb38061a5fe7514e7cf3d4b398a6fab33f94

    SHA512

    6e85adf205e17a750048212964420b7ead17e283f7e096be2251952c6a22a3adaa041fc14e235e0717c9542f8b507db9a044d46736da3ce95e3b992eb47aa731

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

    Filesize

    218.2MB

    MD5

    130bd9dba939ba8748a5035e06e19796

    SHA1

    8436309f799d66e80dc16f4de0f3e8c6bd627238

    SHA256

    04b41a2180bedf2cee1a1fc8904ca1ddce6de98bbb85a20c8e835cce7150fb47

    SHA512

    f411bd909e1490df9b388302b03099cfd6103064875985429ac4a824ce1f7c6953db1aed43aaaa2534f7976be9b293b80619a95d1ef7dc1e2de9be4d7cd79ac3

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

    Filesize

    167.0MB

    MD5

    7dd3948b44092730fbf2e9d9bceb35ad

    SHA1

    622172d5fa2417b1c4d0f1560101e46a71451eee

    SHA256

    9f2e506fa50c0e9fe04f00f56a714cc491e9899154945843fd2e0e47d14dda60

    SHA512

    7ad456f1d0cad35759cba893902383113a6781c22383bfb47c7a185749547862dff9fec5cc7837cd336aeb33aa3da56f3c11f666cc550626f92d363f6c4af59f

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

    Filesize

    1KB

    MD5

    081daa9d9238db2cf3ca1f6650fb12e6

    SHA1

    ca5f629e25fb9d80ecfe7afb4c18a42216e971bd

    SHA256

    b790493b38bfb57fa2ebc31258cff7bffad53184598108b7fab4bd1ed15e731a

    SHA512

    8c8ff42b84906d8252bbcc2f48898cfb0460e4bbbc4984ab99b685bf7f8f0614dc0fab4f0e2553087449a88868762b7057dedd6d73f993bc764f48fca68f115d

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

    Filesize

    1KB

    MD5

    d987a9c7be3dd61673ff6d2463b312a9

    SHA1

    eff2356ed7758c93449e14966f24466f23ebed3a

    SHA256

    a6be7be64ebdc3f09e0310ae330ac0301ab9970ada907a327d9f53a55d1cb5a2

    SHA512

    5c85dd35709351f5191fbdf8addfcffae8387fbc13cfa5f51123d062d7ab8a5223df162be6a4bca4ecd15aaf5aff733507e2e7de701825e6048ad2876d65e373

  • C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

    Filesize

    1KB

    MD5

    659d04afec842bd0ace945b891cdf8c3

    SHA1

    6f3df67ab1b987a831920254eb05284a887941f0

    SHA256

    b6ae6a9621ce1585379bc2363c7cd4f19a4c8d7dea564f751dd29d3fc896f930

    SHA512

    e6d1d14abb8312e2bcf34d5158273f0a043d6b631e9e242bd74e212276c7deee6c94d4ebbb3dfe730c07eeca81553bb5f19c40e44eae87f2e267801b87fb7af9

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

    Filesize

    1KB

    MD5

    23360f4a157df6bb39a0734e387956b0

    SHA1

    5922a2ed387d60cb0dbdb39cdfbfd8d734980065

    SHA256

    195d71bb031a3dfdddc0fd9bb4de16b2b177eaff5f40fbae761c735adafd0401

    SHA512

    8f95b1871539ca79daa4ee406113ee976a1b830db50d4345888fe3a8fa43daa10d9c42426a9c200c980cc02189b1fe9f76e2c4ae80a8a99070f0ddf8b22ca389

  • C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

    Filesize

    78.7MB

    MD5

    b3317d89d41d2a97f09bd6179ab14e3f

    SHA1

    e0c74d76e69f8c39dc1bba16db90eff30f73c9a2

    SHA256

    024c0aaa84a44b2523ed74671d0ff760f4096d9d1a4d18da285edbd3efa4e97b

    SHA512

    0f24c4f1b8c32ea9faeb2583ea1564ba68bec5fda7443fb4a80d47b0697b141bea1c10b1986a5f2d14f58abd69d5b69f8702f913a320111754efb9c9f1caf34e

  • C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

    Filesize

    1KB

    MD5

    336c1551801c3ac69066cecddb859271

    SHA1

    0f14993ca2046e08b252ae053dbe34da7b73c880

    SHA256

    ecf758d8059122ad144e8aaf9e49ff5fe0491daf7b6c7414981d286dc73b4b23

    SHA512

    dcee11044881179670c42c38a47fe6a34728a828195f4adf014c52e0dd4e204d483ba83efcfa83f0986d50f1eb5f39274e89344bda324e15feec59fd2297679e

  • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    eebb5da952b3c24e042cf65bfad24345

    SHA1

    410e42ae5cb70f3143328d896aa83fc66fb9924a

    SHA256

    2fb9c5aceaada77aa197621a15c9931e602fe2a221fcf322c5e68472c54fa905

    SHA512

    eeb4e1d091390ef2d7d0290afd83d071c99d220356632cbd248857c6cbd3cba2a1360f2eb362b054bccaa2332f808b2984347a4aa70d43659731532e2f83067c

  • C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.5MB

    MD5

    ead763d8f77f8eff3969203d895837dd

    SHA1

    1fdaa250aecebb1b07d5e16f5de13fb5e9d50715

    SHA256

    da0aeaec89465c74cde7bb1ac12e914a81710dc6569642021efae2f338bccd1a

    SHA512

    ed47ee8e9557f566b928c21297fec0b160cfba855643f43d88b2f78715800d7dbc75481152288d4585c4348e71c9915e08b60d09c94cc48c1622b7ac22d107ed

  • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    98764696a76a69c81a12a3246d34571e

    SHA1

    42ad3a861105359cda40edede80ea58ea437020c

    SHA256

    cb73803a6fbeed87bc27a51c9624f81a63b34bef220b0ef1bcc13bb1b1426422

    SHA512

    2d36f364fcad5f21a0db20de170b07236ae14aec7917e4251890a994ccb526086e4a1c8e5cc8ce240e456fd95f0bdf8567acacaa1874bd723598f4443479eaf3

  • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.3MB

    MD5

    97e4c1385e8fe287efb48553005fb576

    SHA1

    c3dc75a24392cd4328c73d455f531c7b08979e5e

    SHA256

    8f75ae81e4c0ed7341e1ca51c44d7b3c7c3a5214b11e2e0c5d14f178e707f4ec

    SHA512

    0abf49ce489a2e3f4abfd8c820a6d857e7088b6759e87db074dbad02a3d673f89c9a8cf3997b3d3134b2658a282cc0ebedc5661d0c4e20fda2eebe128b0b968c

  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    e71f141a8e947749c78616278f912549

    SHA1

    2bcbdd4fbab8323712a090e4b73964ece82de41f

    SHA256

    eda1bafd5c70b2123aad83854473968c45ab3223fc63c69fbb2cbac4c6852a31

    SHA512

    366b53befbb0cade9dd3fde42ece312a25753991d4c2d9dd681b3def53548a2b33d7242ac2cf9e41c6e96c7ce4b138450ef524952eb239ed3a1e7747485dab44

  • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    fb6783be18a4ab1c52430d652082f004

    SHA1

    26c845f4385d304fdd774de914aa3abca016ff87

    SHA256

    3947823eba94033664800ab4cc80fcc2fe5d05e83dd4f886bf50eb09c93d2dd7

    SHA512

    3771a270b425b0251ae05435f37fef0eaf67d95162d968523675c85967fbf2601809c048f76fdb42518a62fdc956feceab524bfd33808cb4ad921b8d17a33665

  • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    870KB

    MD5

    8e25d5535f8ca748056ddac3018829c5

    SHA1

    2c2fd27acd28ca23797471964176b2f6889f8608

    SHA256

    f8bf75d25b9099c4baff9632621f74e86aac42bdabf91f38bcdb677cf129e3fd

    SHA512

    d44d27dc1e73800d9b90e2a8dcecc5d540dda43f7bb1c708c07e62353ada90af8a8a7015a46549a95953528e97377fc1aeaa830990262050dac3dbb6a4f59d8c

  • C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

    Filesize

    5.4MB

    MD5

    31cfe66d12fb16206e7cefe3bd723018

    SHA1

    1f189847d0de3f622d8d6ea3b8f5dc8f6e8828ba

    SHA256

    7f2bba85cf1cdeaaf97bd44be2a04bbdcc8ac4e6cf44c76522c7b772da3d037f

    SHA512

    57159c45e870425bed30bfb4e7f9d9bb1b1f7d9ed967e4e08c9e991174f2899884eac4f2fca6f627b9557ee11831654fd08951148430c5781dd66c4e6408992d

  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.7MB

    MD5

    add5ddfad97075919d77ba9dabc7027a

    SHA1

    e01fe1dd91ed125898964b09d30479d9a76865a7

    SHA256

    2c9b4bf2ae9677b93781c3ccf481b71027aab6c46a2a4c75b43b95968c561d12

    SHA512

    ad89a7fc9fdceb9d864afe4cc41002308719774da72411c395494def025024c0ea4df2099e314f043e02f52aa5bd5248761e197230f1d5d4282c273812e3339d

  • C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.9MB

    MD5

    ce8f0806886d7e2fadff244339220c9a

    SHA1

    8482cd5943673fb0bfc4a1589cc6cba19bc0d441

    SHA256

    c186d594f6d18601ec33e150911fab1f67b5b8fcccfd0563c10b438537ac15c2

    SHA512

    dec9d57aa71a3252f43208e240cc9cd43ada223261364997198ff5b33a81611148696fd6c214e269b9835d33e9560464ce9550f40ba2b4cc56893777a10ab478

  • C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    803KB

    MD5

    e37236de95263aff5de8f78cdd6d2352

    SHA1

    198c1147201f1b75c00934f27b943467058ed8b0

    SHA256

    e0f3a3c701384da9f0458983916553f44894e4f0d0ef7abe51618d95ea1eea8d

    SHA512

    2d076a265beaab4f0f6174e2b86421f24d690e162de39d714cf366c82fcd5c3264b637358588419b815abadf9794ea78083668ee0a0591455ed3b168f12dc5e7

  • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

    Filesize

    4.9MB

    MD5

    845b969fca5170f9ff2d1c0a89a0ad8d

    SHA1

    defdd092efbc22d7ecb88502636fa7b5012252ad

    SHA256

    c2c42255b6668f5dbc77440ab0f47681c2b83a831fe01a805a3cdb351f7a64af

    SHA512

    2a760fe7e3464444814e7becae2e84779a21051fccf6de5d37cf835396774cb3f38b8eee29acbdd8cdfa3de34cd8ea8aecfe2ebf2c54ae39fad03c5e80502557

  • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    1011KB

    MD5

    762a8ae222aa130d2a9f0cbc05ebc957

    SHA1

    70e9a7e7193a1fb30b266c592160ccc5159d1d22

    SHA256

    4e240c9dc80d7e8ad49ed897404eae5d3c5fcc557538928d06fcc274e0dc729f

    SHA512

    669842f651a9df6f7171bdf822c4f19d97cb21d124c338040c34f810e2f5db2f57f0ab31dd5eb88c0b3b30874d8742b52fa7250066644a180a6e359ff41465bc

  • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

    Filesize

    791KB

    MD5

    3cb4053cb072370192eb0976b33e1b8b

    SHA1

    c2d8c73648036141377d08a028b5914bd7ad240a

    SHA256

    c79401f0efdf937b63623ab875ce8780b2fb910efda198e4fd1077b0293a2d78

    SHA512

    01359478898fec6f92f8ae993f1c66ad2b78453654f4df31b7d01eb349796666312050042efb07608d3d228f0f9c38b7a671068d72e33efd6c5ccd787cfda76e

  • C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    974KB

    MD5

    0e0f2d9ce5ac19998c1d0dd92bda89f2

    SHA1

    6ffb49f75629789f7055b1d568c6e46d6a939d45

    SHA256

    50ce0cae85099f4242b5736c27f3a1c5abb3a7343b07895a05b53ce2a9c84ee3

    SHA512

    335596740d6b17c6970b0cb350c22a22e6b8846c4eed02a3a6c0a8bc2104cf161a87913c9eb416994fb383087479653566110a4cbf9d9eadf4a25061c0049f9d

  • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

    Filesize

    742KB

    MD5

    10cbacf9e37ebfe8eda8a273f4302efa

    SHA1

    d93800b27288ac8f1f5b90b84e7b1a1cdf5b3850

    SHA256

    f9c253861d83d3e87e1e5a2200d8fb6855100e329a99611785cb258a0a26fdff

    SHA512

    7fd01e5dbff4e13d317ccfaebdce9df80a7309fac0c3af03e6e89abd1f2764ff8f506d739ab5e1690f22f183c3be12b9b784c7357aa2518653e6a3e548f5ebc6

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    ca7e3209daf2ff611f20be6bfe1b93d5

    SHA1

    a6c62290025f2b0eefa66c523c5d35cba4954690

    SHA256

    7d2993472958feba37b83a481feb0f5a300d6cf89f6c78b5f441377a1f6221e7

    SHA512

    1bfa7333265317343971aff91039fc56d8303aefd68281dc7a1404d44f880668eabf9e350828891c0b204333f484849937fd04582d0f2a41e4aa551e2441e6dc

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

    Filesize

    1KB

    MD5

    71b1f91e928b8dacd932d5a09cd5e3f5

    SHA1

    f617ad4eaecd82a94d57b107466142e06849d59f

    SHA256

    ca596199389c347f04c24a3675dbe71b82fb2c2c3d8d9e3493dd34ab107fefb5

    SHA512

    12f49647625660573ec0f127ae2230525db2888d6217b40d587199617f3b607b053260ff3d44dfe4e957580ac5961dfac8e1ed37fbf524d35ee0c92d9506805c

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    063b9e1f07086ef7df49bf6e4b5dd826

    SHA1

    c6e5baf6fb5a250b5e37ace434f926a38f0bbf78

    SHA256

    f8060644ee05d0e817d9556df2e7ef2fdc57ecdeb07490b71cd0bc960f571d1d

    SHA512

    7e4f820ccb8c8070e1878a4ef810cfb3e7b5dec9fec8f3e6191baef787c21161abf851f14527a11880497f1694e9eccb941ca4e58d56a3343c555f1290e8a119

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    86aab6d22c6a58adc8a8b8762d6915d8

    SHA1

    c3cab6a9eaf2a3f9b9cac486c5ccd8bfe2b5d86c

    SHA256

    bc4579f3ee046c76b377127913caf4aedc325c536dd63888ae149e9632377316

    SHA512

    8c9ea8a5fa74c10bd90a30422f85191f9f9c9e188ee751ecca98d80e6da39c400ea676a09f69ae60b5ddaa0bbadf1992a0ece92076d740171c893f88c74f2135

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

    Filesize

    2KB

    MD5

    4663ad3355a344018e820771745fb36b

    SHA1

    2f2a2913d8880439cd4161ae09ed2096ea31b770

    SHA256

    20504be19f83302871c5edb16697b095f7c471e8ddb4c8c3d35187e9e22db7e8

    SHA512

    56a3f8635ac18bffe86ee9e4aaf49f2a86fd8904a3861086b7c924af70af99d3e0e496281cb070763ac5d818e922402380a7140b226721e5527b71bf2f1db393

  • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

    Filesize

    2KB

    MD5

    2e2fd7872ef0d601a782a97a9a97e3ed

    SHA1

    865ff28a3c3de60b67f5fa5af313654db3cc4e15

    SHA256

    a2ddd476fb2460a1e503514beb96402121f138edf182a40169a3defe0769dff6

    SHA512

    dfb95ff93d33aa5ed7af76f013e1692709a162d63c0f6d6066d2682eae8024bf27f41ad85517c2543d588b0802f6e529181f6a4e21a7a0c678f2de72c6f5d688

  • memory/4932-133-0x0000000002BA0000-0x0000000002BCC000-memory.dmp

    Filesize

    176KB