Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ZYu4eR.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ZYu4eR.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ZYu4eR.exe
-
Size
458KB
-
MD5
a7220cc1827fca75b6e74efe59a8ea77
-
SHA1
836c066fff10ad423134f863528f4ec3d3e95962
-
SHA256
731457e4704d299b353e802b72a6908dfa2124cbb5130b8cb9a943c6be6bcdc6
-
SHA512
90cda9290fbc28187da837c4829fa1cd0084a58c87e58b6ddb0e70340b334507233bc0ab2c858462824e21babaaf2118dee68513e5c87fa7126d46bce5d38b21
-
SSDEEP
6144:4/MZO4aLcwC0IEVvO2UcxnwMSKY3m5MzrTV/yqUKmLzmZhbVPcK7lKWp+:4XiwC0pVvOwxSCirEXKPZh+Kdp+
Score
10/10
Malware Config
Signatures
-
PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
-
Renames multiple (2485) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini ZYu4eR.exe File opened for modification C:\Program Files\desktop.ini ZYu4eR.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: ZYu4eR.exe File opened (read-only) \??\Y: ZYu4eR.exe File opened (read-only) \??\Z: ZYu4eR.exe File opened (read-only) \??\E: ZYu4eR.exe File opened (read-only) \??\N: ZYu4eR.exe File opened (read-only) \??\R: ZYu4eR.exe File opened (read-only) \??\U: ZYu4eR.exe File opened (read-only) \??\G: ZYu4eR.exe File opened (read-only) \??\H: ZYu4eR.exe File opened (read-only) \??\O: ZYu4eR.exe File opened (read-only) \??\K: ZYu4eR.exe File opened (read-only) \??\L: ZYu4eR.exe File opened (read-only) \??\M: ZYu4eR.exe File opened (read-only) \??\S: ZYu4eR.exe File opened (read-only) \??\T: ZYu4eR.exe File opened (read-only) \??\A: ZYu4eR.exe File opened (read-only) \??\B: ZYu4eR.exe File opened (read-only) \??\I: ZYu4eR.exe File opened (read-only) \??\X: ZYu4eR.exe File opened (read-only) \??\W: ZYu4eR.exe File opened (read-only) \??\J: ZYu4eR.exe File opened (read-only) \??\P: ZYu4eR.exe File opened (read-only) \??\Q: ZYu4eR.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui ZYu4eR.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat ZYu4eR.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml ZYu4eR.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml ZYu4eR.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui ZYu4eR.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui ZYu4eR.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml ZYu4eR.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml ZYu4eR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms ZYu4eR.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt ZYu4eR.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui ZYu4eR.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml ZYu4eR.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b50f8be8ca36102c258c8614c3fc4fd7
SHA160ca49735da14e29ea6d0984d6a1db0050df3a18
SHA2566aff302d6a296effee7e74bf4df616ba5e52a9794a4157998e24b4877ad67af8
SHA51261e1caa1478428dbadabc3da9ebdf05be14a25fb26da9586bbe2aba2cff25519181f206604619d8d5802952abb8e54bb9c7795ad3588e57d053f35c0dc2d52ff