c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

Resubmissions

21-07-2024 10:21

240721-mdsbgsycje 10

20-07-2024 13:01

240720-p8648szapp 10

Analysis

max time kernel
47s
max time network
30s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2024 13:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WellPlayed.exe
Size

145KB
MD5

337559ae1b02b42586781787918b4b6c
SHA1

114577ce6270fde6ed9dbc782484bfa36766baed
SHA256

c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505
SHA512

8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f
SSDEEP

3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

883C.tmp

pid	Process
2188	883C.tmp

Executes dropped EXE 1 IoCs

Processes:

883C.tmp

pid	Process
2188	883C.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini	WellPlayed.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini	WellPlayed.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP8z080rukvad16m1pmvq9mxs8.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP3u9ud4a6x69l816esoldik0l.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPoqafaoglm3pts6w1t_6x_y2sd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WellPlayed.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

883C.tmp

pid	Process
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

WellPlayed.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\WallpaperStyle = "10"	WellPlayed.exe

Modifies registry class 5 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD\ = "txdM9F1WD"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon\ = "C:\\ProgramData\\txdM9F1WD.ico"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD	WellPlayed.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WellPlayed.exeONENOTE.EXE

pid	Process
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4904	WellPlayed.exe
4668	ONENOTE.EXE
4668	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

Processes:

883C.tmp

pid	Process
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp
2188	883C.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WellPlayed.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeDebugPrivilege	4904	WellPlayed.exe
Token: 36	4904	WellPlayed.exe
Token: SeImpersonatePrivilege	4904	WellPlayed.exe
Token: SeIncBasePriorityPrivilege	4904	WellPlayed.exe
Token: SeIncreaseQuotaPrivilege	4904	WellPlayed.exe
Token: 33	4904	WellPlayed.exe
Token: SeManageVolumePrivilege	4904	WellPlayed.exe
Token: SeProfSingleProcessPrivilege	4904	WellPlayed.exe
Token: SeRestorePrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSystemProfilePrivilege	4904	WellPlayed.exe
Token: SeTakeOwnershipPrivilege	4904	WellPlayed.exe
Token: SeShutdownPrivilege	4904	WellPlayed.exe
Token: SeDebugPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeBackupPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe
Token: SeSecurityPrivilege	4904	WellPlayed.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE
4668	ONENOTE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WellPlayed.exeprintfilterpipelinesvc.exe

description	pid	Process	procid_target
PID 4904 wrote to memory of 5096	4904	WellPlayed.exe	78
PID 4904 wrote to memory of 5096	4904	WellPlayed.exe	78
PID 4904 wrote to memory of 2188	4904	WellPlayed.exe	80
PID 4904 wrote to memory of 2188	4904	WellPlayed.exe	80
PID 4904 wrote to memory of 2188	4904	WellPlayed.exe	80
PID 4904 wrote to memory of 2188	4904	WellPlayed.exe	80
PID 4400 wrote to memory of 4668	4400	printfilterpipelinesvc.exe	81
PID 4400 wrote to memory of 4668	4400	printfilterpipelinesvc.exe	81

C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe
"C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5096
- C:\ProgramData\883C.tmp
  "C:\ProgramData\883C.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:4156

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A14EFB46-AF9A-4B21-AF76-75FE06847232}.xps" 133659540786720000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\HHHHHHHHHHH

Filesize
129B

MD5
a7788037fa6d04d218163be8c7435591

SHA1
308955d8910104cf3dff01b1a95115d3db8567f1

SHA256
b43bb900614f50127f974c3dea8b3c1a7afe89565a120339cc5ad1d2e14bdfa1

SHA512
1968e128b67f2fd55848ecdb2b1cdd87469abdc7ac0254d6a2c2d526743c3866a97399048db76c4ce5939cefcd135920c10238e25cc465665e76606aece5df6f

Download Submit
C:\ProgramData\883C.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEE

Filesize
145KB

MD5
9650ead71ebb18c35ee3d2064dc16c07

SHA1
ea2b6fa5cb079541219748b52f95503d00a3c46a

SHA256
5d530dc81d8bbe87ca1838a3c3ec8c32162cf180f62cbc2361d5013d01ea7cf3

SHA512
5b161dac1280e7618fe4dff415bb813ace4c3c8c1e3640bb2f2d11586fc40ddcf3996a5bd2f4d68ec384b22c936302f2cc5b8c3bcc856cba8f7a6881319e9ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BA5E81E8-6D4D-4DC7-A162-5FB1284F2930}

Filesize
4KB

MD5
49de34a77a3484b47c902a6890ed7cca

SHA1
027ee370687dbb10ad9dcd8ea6bf2ed53634ea82

SHA256
575f2b194873bf11c289e7f3033b595b46727adc60f644f698cfe0cef1f3e300

SHA512
00abe3d9932c47ccba61e02363220bda2a5ba0256c539cb508869dcd8cd3fc2341cae5f767a77c1dc8269c8e9ca8728c0bb2f30e0cd7303c27aab428398519f2

Download Submit
C:\txdM9F1WD.README.txt

Filesize
27B

MD5
734928ecdc131bc5f8de15316a4a3c36

SHA1
99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

SHA256
5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

SHA512
e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3968772205-1713802336-1776639840-1000\DDDDDDDDDDD

Filesize
129B

MD5
0f883d1ccbce046b41a54b4710fda02b

SHA1
af693dd690dbf4077c087d32b8c7ea6dd9b157b3

SHA256
2e78f711465de628efc44a419af15c586128e7de059e6cd46f677c66b24e65dd

SHA512
0ccb5ad7ccaaea49a721ccc57a7df93495d2e37018f3fdee3f0fcf0d4c6268fd6c7ceb418665b699550a6699c604a0082023c8c20a4c7bfe96891bdcf4cc60f8

Download Submit
memory/4156-2605-0x000001EFF1D90000-0x000001EFF1DA0000-memory.dmp

Filesize
64KB

Download
memory/4156-2610-0x000001EFF1FD0000-0x000001EFF1FE0000-memory.dmp

Filesize
64KB

Download
memory/4156-2616-0x000001EFF20C0000-0x000001EFF20C1000-memory.dmp

Filesize
4KB

Download
memory/4156-2618-0x000001EFF26A0000-0x000001EFF26A1000-memory.dmp

Filesize
4KB

Download
memory/4156-2620-0x000001EFF6C80000-0x000001EFF6C81000-memory.dmp

Filesize
4KB

Download
memory/4156-2621-0x000001EFF6C90000-0x000001EFF6C91000-memory.dmp

Filesize
4KB

Download
memory/4668-2666-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/4668-2665-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/4668-2667-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/4668-2668-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/4668-2671-0x00007FF958160000-0x00007FF958170000-memory.dmp

Filesize
64KB

Download
memory/4668-2672-0x00007FF958160000-0x00007FF958170000-memory.dmp

Filesize
64KB

Download
memory/4904-1-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4904-0-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4904-2-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/5096-3094-0x00007FF78E4D0000-0x00007FF78E4F5000-memory.dmp

Filesize
148KB

Download
memory/5096-3096-0x00007FF998490000-0x00007FF99853E000-memory.dmp

Filesize
696KB

Download
memory/5096-3101-0x00007FF9990B0000-0x00007FF9991D5000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads