Overview

overview

10

Static

static

3

762bb8a720...39.exe

windows7-x64

10

762bb8a720...39.exe

windows10-2004-x64

10

Resubmissions

28/05/2024, 13:25

240528-qn2jpagc45 10

21/12/2023, 15:14

231221-smbb8aahaq 10

Analysis

  • max time kernel
    111s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2023, 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe

  • Size

    458KB

  • MD5

    8177fcfd49b44e0eff98320b0a713ff8

  • SHA1

    8a40c9b2c5b0902d9dc0f159def55eea94063b1e

  • SHA256

    762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539

  • SHA512

    5821cc4bae9b43772c8253cbd9feac353d4b44b5ad3e9d786c96d3e4ec2147a7787115300658f10a22cc46bbc3032e7ecaf38d84f5167040775135d314e4de5a

  • SSDEEP

    6144:f7M6Yn6fGlV0okVP3Z4FQmFKMUhhtpyr81fhKUqmLzmZuGVPVElK4p+:fsflV0pVP3aBcJyrs3qPZuocp+

Score
10/10
playransomwarespywarestealer

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

    ransomwareplay
  • Renames multiple (7307) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe
    "C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:4032
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini
    Filesize

    1KB

    MD5

    0d56e154e8216978772862bcfbeddd1c

    SHA1

    a3ad9c2d02a3aa20528359275f8f82271a4bcf5d

    SHA256

    702a9c6eaac570f7851ef168294f5decdd61343c26e6aff6fccd3c5319e24665

    SHA512

    dc84a6152c51b03ef8976d2ff9b24bf16b84406014c1f53cd0646cefdc8c831c51d139405cfb1c6ecbdad60fedb1be104061d2fe6835d7f92f1721bf17350f64

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
    Filesize

    65KB

    MD5

    dec76e5686a38ec0960f72d977f3f338

    SHA1

    f4de38c59f905ff8697f117e8f2dff204cb52b36

    SHA256

    bc6564436316292c0e4326834daa059b8932d72d965230a95804284ef28e282c

    SHA512

    7e498de31582bb434dc35a45881a1b42d91ca5e0d8b1278c896132ecf00488837f72d79fbcbd40c816dfdc5af7d819650caa378eb275b1d3c8154fcfa550d91f

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
    Filesize

    1KB

    MD5

    296c7489c920de2ec0d70969b021cf13

    SHA1

    175823c16a923fda98504f4cece6121536101e80

    SHA256

    27b6d80987d736e6c3d36803ae0910a64cce7bc4a6204316d28960512c1b64b0

    SHA512

    1d6c8419ea906ea15aee5f540cbedd2ef4d589a753b154834afc3322435c6930b2a5f8d701bf100d5a5cc8a8979e3c368ebe587900df2e977dc8aca9f5dd1faf

    Download Submit

  • memory/4032-0-0x0000000000A30000-0x0000000000A5C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4852-9-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-8-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-7-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-10-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-11-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-12-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-13-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-3-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-2-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4852-1-0x000001F5E8250000-0x000001F5E8251000-memory.dmp

    Filesize

    4KB

    Download