play | bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Analysis

max time kernel
85s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
Size

178KB
MD5

4519a5876b3e77568105da0f1c2ebb4d
SHA1

78823aed1ec75b00214dccd654f5ea5dd38cfd58
SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
SHA512

f4a106b983a3c330983a6bce311cff54241c9a9b7aac31116a1ee0ebca9f20126d9e584f4b6b8fbbd3498fbb4632d1fe6373e08fd7dc3f0819fe9ebd8d9c69f9
SSDEEP

3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17

Score

10^/10

play ransomware

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (7892) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\P:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\Y:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\G:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\X:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\V:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\E:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\H:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\J:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\K:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\M:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\N:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\R:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\A:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\Z:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\W:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\I:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\O:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\Q:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\S:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\T:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\U:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened (read-only)	\??\B:	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\WISC30.DLL	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcfr.dll.mui	2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini

Filesize
1KB

MD5
08ec069f0e21d9b4043208d96b523145

SHA1
fb23e2453db575f6c0836fc59c17ca7bfe93e86e

SHA256
7e509915104f85c94996fcc3cfb1eff8ac5e73fda64d6e9efcceec349c1550c1

SHA512
9bdd07d0461913dfb9a79cb855f9a82fe6e2702ddc285faf34606fd3537f6d96664e788c78796ef9c801d9da51486c628036e79be5c226fde279e0879d70644f

Download Submit
memory/2212-0-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download