c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

Resubmissions

21-07-2024 10:21

240721-mdsbgsycje 10

20-07-2024 13:01

240720-p8648szapp 10

Analysis

max time kernel
54s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
20-07-2024 13:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WellPlayed.exe
Size

145KB
MD5

337559ae1b02b42586781787918b4b6c
SHA1

114577ce6270fde6ed9dbc782484bfa36766baed
SHA256

c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505
SHA512

8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f
SSDEEP

3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

D988.tmp

pid	Process
1448	D988.tmp

Executes dropped EXE 1 IoCs

Processes:

D988.tmp

pid	Process
1448	D988.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-126710838-2490174220-686410903-1000\desktop.ini	WellPlayed.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-126710838-2490174220-686410903-1000\desktop.ini	WellPlayed.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPzx6wzruemlt9rihrt45f1dxjc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPl0n8mrmzqmwifes5zysjpozde.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPyyll7ssxo_be7t4fsptk1z6pc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WellPlayed.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

D988.tmp

pid	Process
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

WellPlayed.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Control Panel\Desktop	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Control Panel\Desktop\WallpaperStyle = "10"	WellPlayed.exe

Modifies registry class 5 IoCs

Processes:

WellPlayed.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD\ = "txdM9F1WD"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon\ = "C:\\ProgramData\\txdM9F1WD.ico"	WellPlayed.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3136	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid	Process
2448	ONENOTE.EXE
2448	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WellPlayed.exe

pid	Process
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe
1288	WellPlayed.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

D988.tmp

pid	Process
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp
1448	D988.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WellPlayed.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeDebugPrivilege	1288	WellPlayed.exe
Token: 36	1288	WellPlayed.exe
Token: SeImpersonatePrivilege	1288	WellPlayed.exe
Token: SeIncBasePriorityPrivilege	1288	WellPlayed.exe
Token: SeIncreaseQuotaPrivilege	1288	WellPlayed.exe
Token: 33	1288	WellPlayed.exe
Token: SeManageVolumePrivilege	1288	WellPlayed.exe
Token: SeProfSingleProcessPrivilege	1288	WellPlayed.exe
Token: SeRestorePrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSystemProfilePrivilege	1288	WellPlayed.exe
Token: SeTakeOwnershipPrivilege	1288	WellPlayed.exe
Token: SeShutdownPrivilege	1288	WellPlayed.exe
Token: SeDebugPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeBackupPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe
Token: SeSecurityPrivilege	1288	WellPlayed.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	Process
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE
2448	ONENOTE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WellPlayed.exeprintfilterpipelinesvc.exe

description	pid	Process	procid_target
PID 1288 wrote to memory of 4548	1288	WellPlayed.exe	84
PID 1288 wrote to memory of 4548	1288	WellPlayed.exe	84
PID 3108 wrote to memory of 2448	3108	printfilterpipelinesvc.exe	87
PID 3108 wrote to memory of 2448	3108	printfilterpipelinesvc.exe	87
PID 1288 wrote to memory of 1448	1288	WellPlayed.exe	88
PID 1288 wrote to memory of 1448	1288	WellPlayed.exe	88
PID 1288 wrote to memory of 1448	1288	WellPlayed.exe	88
PID 1288 wrote to memory of 1448	1288	WellPlayed.exe	88

C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe
"C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:4548
- C:\ProgramData\D988.tmp
  "C:\ProgramData\D988.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2348

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B61BA242-8B68-48E6-BE05-DE46392A8280}.xps" 133659540811580000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2448

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-126710838-2490174220-686410903-1000\BBBBBBBBBBB

Filesize
129B

MD5
c774b878f3839d77552f6d1bfd34ccdf

SHA1
1af70b13c18876e60c57f4efa9a1e7484799fe8c

SHA256
761d8c032e3683bcaeaa0b772f1561436d56a68d2ce17bd72c6eb02ffef07eb4

SHA512
3c067f1aa1421390514df3d0d48795129b28f14029c8a6ac5f4c01f78b0a2ceb19ffd33bcc925aed536690ca2e404d933971f6f36e8b971547e042c85075f755

Download Submit
C:\ProgramData\D988.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCC

Filesize
145KB

MD5
1010e2c1f71e9b03846eeb81f6eaf7af

SHA1
0c447e77498c6dc56397206c1a43a12ee2247819

SHA256
847805178cad5e51d431bcb89074381fccecc1c6f9054bb1aa145a08538c8fc6

SHA512
09a50a32b0c293dab8e355ca46cf11c28b7d5650850f79aa49c5a0e26ab0bd6238296f87c0601f2e8e650706ed0d7a88e293d78ce4c176e7d27995ff14dff209

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
c9df91bbc5ed267d528e4d256c6dc73e

SHA1
3308f3d378472a886ca667bbf0b443cb4069c8f4

SHA256
cb8fab6289a40d7664674e5b6e25af895e2a876ffbabda8c3ba841b036e10b30

SHA512
32c9cca3a14927728c8be3669a353e662f122787c1ec8e89fbeaeab215a98d5fe67dc65df6254cfde811df54df1ee8428c5488a97d23f55b2d6f0e08cd70daa5

Download Submit
C:\txdM9F1WD.README.txt

Filesize
27B

MD5
734928ecdc131bc5f8de15316a4a3c36

SHA1
99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

SHA256
5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

SHA512
e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-126710838-2490174220-686410903-1000\DDDDDDDDDDD

Filesize
129B

MD5
1c6aef9242bf4e9a65bf7d04fef33acd

SHA1
c838d8bf19a994db2901996c33fdf581c361c7f3

SHA256
0b36a5dde8ce68a645c2f2ffae0428d7dbaff04ed9c32aaa313c3a09c78bfe42

SHA512
c15defb4e6bee0aecbf4baeefc68ecd9bb5c12f30f4a67c121663897ec17416bfc15144bf4c69b54171a8cb3bd1760ae166a8e02134172c5b0256ab6697b2561

Download Submit
memory/1288-1-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1288-0-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1288-2-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/2448-2781-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2804-0x00007FFF5BD70000-0x00007FFF5BD80000-memory.dmp

Filesize
64KB

Download
memory/2448-2782-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2779-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2778-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2849-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2780-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2816-0x00007FFF5BD70000-0x00007FFF5BD80000-memory.dmp

Filesize
64KB

Download
memory/2448-2852-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2851-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download
memory/2448-2850-0x00007FFF5DF90000-0x00007FFF5DFA0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads