Malware Analysis Report

2024-10-18 21:36

Sample ID 231011-yv5hxscb22
Target ZYu4eR.exe.zip
SHA256 52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36

Threat Level: Known bad

The file ZYu4eR.exe.zip was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (2485) files with added filename extension

Renames multiple (8480) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:07

Reported

2023-10-12 13:59

Platform

win7-20230831-en

Max time kernel

151s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8480) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\GrantUnregister.css.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_ES.LEX C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ACT3.SAM C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02435_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10 C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Network

N/A

Files

memory/1376-0-0x0000000000170000-0x000000000019C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini

MD5 937c48233853189d65538e21d18e26de
SHA1 2ecedb3185e4d7b4d7c97fcbba1ff02bd7361051
SHA256 b2a7a590a8b17d52d4fb7146242df571ae0c18ec5c3eb933a58233b2c216c8d6
SHA512 8a9540e54b64f8ec807cda13c79c6c855abc9d0b12f129dd30ef4ab1207fbf8bb77dba8cc6223e4d3cdde46961b9856e3c012eb587cb75bdc56b0a65776bb7a7

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:07

Reported

2023-10-12 14:00

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (2485) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2692-0-0x0000000002CF0000-0x0000000002D1C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini

MD5 b50f8be8ca36102c258c8614c3fc4fd7
SHA1 60ca49735da14e29ea6d0984d6a1db0050df3a18
SHA256 6aff302d6a296effee7e74bf4df616ba5e52a9794a4157998e24b4877ad67af8
SHA512 61e1caa1478428dbadabc3da9ebdf05be14a25fb26da9586bbe2aba2cff25519181f206604619d8d5802952abb8e54bb9c7795ad3588e57d053f35c0dc2d52ff