play | 7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8

Resubmissions

12/06/2024, 22:11

240612-135j1asekc 10

12/06/2024, 20:56

240612-zq6qvstekp 10

28/05/2024, 13:15

240528-qg9aysfh38 10

27/05/2024, 20:52

240527-zn2dcshf8x 10

Analysis

max time kernel
104s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2TXt7S.exe
Size

326KB
MD5

21413e789eea9d581d047df32fad7fa7
SHA1

c361103da37aff0216281781dff09fa5c079864b
SHA256

7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
SHA512

cd6bd0f43b0385a392395add3108134d8aeb62cea3ed470ddfeea66ac096cc6de5e85bc2dda3798a13437ae4b6c38580a3b2e24143db1835c88d268b2ec570c4
SSDEEP

6144:fXqpIW/yostkBUPSuLWT9Dj4IByRuE3AzJNxRGI20JE:/q2W/7+kBuqjKuE6NxAn0JE

Score

10^/10

play ransomware

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (7897) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2TXt7S.exe
File opened for modification	C:\Program Files\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2TXt7S.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	2TXt7S.exe
File opened (read-only)	\??\N:	2TXt7S.exe
File opened (read-only)	\??\T:	2TXt7S.exe
File opened (read-only)	\??\W:	2TXt7S.exe
File opened (read-only)	\??\Y:	2TXt7S.exe
File opened (read-only)	\??\A:	2TXt7S.exe
File opened (read-only)	\??\U:	2TXt7S.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	2TXt7S.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	2TXt7S.exe
File opened (read-only)	\??\Q:	2TXt7S.exe
File opened (read-only)	\??\R:	2TXt7S.exe
File opened (read-only)	\??\S:	2TXt7S.exe
File opened (read-only)	\??\Z:	2TXt7S.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	2TXt7S.exe
File opened (read-only)	\??\X:	2TXt7S.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	2TXt7S.exe
File opened (read-only)	\??\I:	2TXt7S.exe
File opened (read-only)	\??\K:	2TXt7S.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	2TXt7S.exe
File opened (read-only)	\??\L:	2TXt7S.exe
File opened (read-only)	\??\M:	2TXt7S.exe
File opened (read-only)	\??\P:	2TXt7S.exe
File opened (read-only)	\??\V:	2TXt7S.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	2TXt7S.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	2TXt7S.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft	2TXt7S.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF	2TXt7S.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\micaut.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF	2TXt7S.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	2TXt7S.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui	2TXt7S.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2TXt7S.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	2TXt7S.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF	2TXt7S.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77a5a2.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f77a5a2.mst	msiexec.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	34532	msiexec.exe
Token: SeTakeOwnershipPrivilege	34532	msiexec.exe
Token: SeSecurityPrivilege	34532	msiexec.exe
Token: SeRestorePrivilege	34532	msiexec.exe
Token: SeTakeOwnershipPrivilege	34532	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:2296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:34532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91E9033CD024C029AA03CFF8C0857649
  2⤵
  PID:34128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini

Filesize
1KB

MD5
29325c0d439dd82d85a757a442ed88f1

SHA1
f6d0b8a79c89f7bd38d0bf99a999671d2ca6fc71

SHA256
7d614b5ffdde7721792710e0172c3d70d7c52533c900cf528b76bcd419465210

SHA512
8e3abe3a319a9d59583ca1ee4e8c51da8930697bc1f4569493c9f965c34cdda158ac7b8a046cfb131d4e3f379d6fdb99690ba5a04a76a1b65ac30a9395f17f28

Download Submit
C:\Windows\Installer\MSIA718.tmp

Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSID606.tmp

Filesize
19KB

MD5
9cadbfa797783ff9e7fc60301de9e1ff

SHA1
83bde6d6b75dfc88d3418ec1a2e935872b8864bb

SHA256
c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141

SHA512
095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b

Download Submit
memory/2296-0-0x0000000000170000-0x000000000019C000-memory.dmp

Filesize
176KB

Download