c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

Resubmissions

21-07-2024 10:21

240721-mdsbgsycje 10

20-07-2024 13:01

240720-p8648szapp 10

Analysis

max time kernel
60s
max time network
22s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 13:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WellPlayed.exe
Size

145KB
MD5

337559ae1b02b42586781787918b4b6c
SHA1

114577ce6270fde6ed9dbc782484bfa36766baed
SHA256

c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505
SHA512

8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f
SSDEEP

3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

E1B8.tmp

pid	Process
1816	E1B8.tmp

Executes dropped EXE 1 IoCs

Processes:

E1B8.tmp

pid	Process
1816	E1B8.tmp

Loads dropped DLL 1 IoCs

Processes:

WellPlayed.exe

pid	Process
2360	WellPlayed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini	WellPlayed.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini	WellPlayed.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WellPlayed.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

E1B8.tmp

pid	Process
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

WellPlayed.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallpaperStyle = "10"	WellPlayed.exe

Modifies registry class 5 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon\ = "C:\\ProgramData\\txdM9F1WD.ico"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD\ = "txdM9F1WD"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD	WellPlayed.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WellPlayed.exe

pid	Process
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe
2360	WellPlayed.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

E1B8.tmp

pid	Process
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp
1816	E1B8.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WellPlayed.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeDebugPrivilege	2360	WellPlayed.exe
Token: 36	2360	WellPlayed.exe
Token: SeImpersonatePrivilege	2360	WellPlayed.exe
Token: SeIncBasePriorityPrivilege	2360	WellPlayed.exe
Token: SeIncreaseQuotaPrivilege	2360	WellPlayed.exe
Token: 33	2360	WellPlayed.exe
Token: SeManageVolumePrivilege	2360	WellPlayed.exe
Token: SeProfSingleProcessPrivilege	2360	WellPlayed.exe
Token: SeRestorePrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSystemProfilePrivilege	2360	WellPlayed.exe
Token: SeTakeOwnershipPrivilege	2360	WellPlayed.exe
Token: SeShutdownPrivilege	2360	WellPlayed.exe
Token: SeDebugPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeBackupPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe
Token: SeSecurityPrivilege	2360	WellPlayed.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WellPlayed.exe

description	pid	Process	procid_target
PID 2360 wrote to memory of 1816	2360	WellPlayed.exe	33
PID 2360 wrote to memory of 1816	2360	WellPlayed.exe	33
PID 2360 wrote to memory of 1816	2360	WellPlayed.exe	33
PID 2360 wrote to memory of 1816	2360	WellPlayed.exe	33
PID 2360 wrote to memory of 1816	2360	WellPlayed.exe	33

C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe
"C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\ProgramData\E1B8.tmp
  "C:\ProgramData\E1B8.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:1816

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\AAAAAAAAAAA

Filesize
129B

MD5
29fcdf263422cb6b47670ddbe85e8406

SHA1
6f8459445fca7b008d90612ab09e333f35e68984

SHA256
16ec4c75b9be87287eff2e58c8d41032b9c558e56dee608a96dcf0abe0bce40e

SHA512
33a946224fed7c1600f2239d9d4923eb8b7bb39fd654fbb046861c112870f5f00552caf6d175d5e06bee6054cb96d6f93df29b8df467e0350f356be52ddb35dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
145KB

MD5
6cbcc6be0580f9767287ab13a90f6968

SHA1
14d238959adefa8c1ece824693055e26d2665ed9

SHA256
282cc79869298acb17aabe6488c771f2c882f7ca76a23548b9d42e968a3584d8

SHA512
51e48a2b26761639db35df6f5645d90158bee52c1c111dc0a3974114b91812fc0536ec65d8d7818bd602e7ff1a4221d63cf403f43c0d5ce8f2c82ad46a98ffdb

Download Submit
C:\txdM9F1WD.README.txt

Filesize
27B

MD5
734928ecdc131bc5f8de15316a4a3c36

SHA1
99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

SHA256
5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

SHA512
e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\DDDDDDDDDDD

Filesize
129B

MD5
e86eca8ddb50f2ecba0853c49ff28d8a

SHA1
6438e9c7746c8d59afc7d72b263b9a787901dbdd

SHA256
ee4035c8cdf2bc9ddc217fa88d38c808b0370171adc83e207d132bab963aeb91

SHA512
6bc546c9b322941748b8da2d3c2b2eb9d4309beec3eaf3c5ff49080a2e83563b596c208c819a2498619a7ea6f2438977ac89824c762f4a40ee28f7c20c0f2d75

Download Submit
\ProgramData\E1B8.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1816-895-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1816-896-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1816-898-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1816-897-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2360-0-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads