play | 7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8

Resubmissions

12/06/2024, 22:11

240612-135j1asekc 10

12/06/2024, 20:56

240612-zq6qvstekp 10

28/05/2024, 13:15

240528-qg9aysfh38 10

27/05/2024, 20:52

240527-zn2dcshf8x 10

Analysis

max time kernel
191s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2TXt7S.exe
Size

326KB
MD5

21413e789eea9d581d047df32fad7fa7
SHA1

c361103da37aff0216281781dff09fa5c079864b
SHA256

7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
SHA512

cd6bd0f43b0385a392395add3108134d8aeb62cea3ed470ddfeea66ac096cc6de5e85bc2dda3798a13437ae4b6c38580a3b2e24143db1835c88d268b2ec570c4
SSDEEP

6144:fXqpIW/yostkBUPSuLWT9Dj4IByRuE3AzJNxRGI20JE:/q2W/7+kBuqjKuE6NxAn0JE

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (7299) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2TXt7S.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2TXt7S.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2TXt7S.exe
File opened for modification	C:\Users\Public\desktop.ini	2TXt7S.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	2TXt7S.exe
File opened (read-only)	\??\Y:	2TXt7S.exe
File opened (read-only)	\??\H:	2TXt7S.exe
File opened (read-only)	\??\J:	2TXt7S.exe
File opened (read-only)	\??\K:	2TXt7S.exe
File opened (read-only)	\??\M:	2TXt7S.exe
File opened (read-only)	\??\U:	2TXt7S.exe
File opened (read-only)	\??\T:	2TXt7S.exe
File opened (read-only)	\??\X:	2TXt7S.exe
File opened (read-only)	\??\E:	2TXt7S.exe
File opened (read-only)	\??\G:	2TXt7S.exe
File opened (read-only)	\??\L:	2TXt7S.exe
File opened (read-only)	\??\Q:	2TXt7S.exe
File opened (read-only)	\??\R:	2TXt7S.exe
File opened (read-only)	\??\Z:	2TXt7S.exe
File opened (read-only)	\??\A:	2TXt7S.exe
File opened (read-only)	\??\I:	2TXt7S.exe
File opened (read-only)	\??\N:	2TXt7S.exe
File opened (read-only)	\??\O:	2TXt7S.exe
File opened (read-only)	\??\S:	2TXt7S.exe
File opened (read-only)	\??\B:	2TXt7S.exe
File opened (read-only)	\??\P:	2TXt7S.exe
File opened (read-only)	\??\W:	2TXt7S.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\Settings.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxManifest.xml	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\YelpLogo.svg	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\MSFT_PackageManagementSource.schema.mfl.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Ear.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-black.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\YahooPromoTile.scale-200.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\NoiseAsset_256X256_PNG.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v3.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.ps1	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100_contrast-black.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-400.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-colorize.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	2TXt7S.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\DarkTheme.json	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-200.png	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Light.png	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js.PLAY	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT	2TXt7S.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png.PLAY	2TXt7S.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
38944	1708	WerFault.exe	80

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
50784	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 40144
  2⤵
  - Program crash
  PID:38944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:50784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1708 -ip 1708
1⤵
PID:66068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:66300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini

Filesize
1KB

MD5
51593dc34ed5202ef371a808084edba7

SHA1
53a04d88afbebe874c7c7200b6bc584836fb782a

SHA256
eff5a5023a2ab625ea35260b22bea6c410b5240c24a01516b3e178ca8a7ae6c0

SHA512
5dfdd1b6586cc9ac3923d69c9c086d0925bfd473d8c8927071509b7fd7ecd491a8c18c7cbd9b5bcf7e130c71db4cbc503865a4bc0f3cf0c317b7651d4b3ca41b

Download Submit
C:\ReadMe.txt

Filesize
188B

MD5
5980ca63cad3b0b5ff0917c6f50830b3

SHA1
650f26c75564172626c0c0bc7cabdd1166d7e3ba

SHA256
6373e979e7d40b945fb6f735b5e2f9253ba58d2bcff4415a1907618936875d7d

SHA512
8191c370c99824db06e71a3772372881cdaf2a91ef9dbaefd5901fa4b75a63cf55365df3460a6f1e4f8f255c739e16e60035bb78bd42705d5653090bceaf9fe0

Download Submit
memory/1708-0-0x00000000010C0000-0x00000000010EC000-memory.dmp

Filesize
176KB

Download