c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

Resubmissions

21/07/2024, 10:21

240721-mdsbgsycje 10

20/07/2024, 13:01

240720-p8648szapp 10

Analysis

max time kernel
51s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21/07/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WellPlayed.exe
Size

145KB
MD5

337559ae1b02b42586781787918b4b6c
SHA1

114577ce6270fde6ed9dbc782484bfa36766baed
SHA256

c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505
SHA512

8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f
SSDEEP

3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1308	97BD.tmp

Executes dropped EXE 1 IoCs

pid	Process
1308	97BD.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini	WellPlayed.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini	WellPlayed.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP4ek8d8a0mv04pj0wjfb80kofd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPc_rp2lrzqpeed94pfpn6_uqx.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPm89xavq1uphn8rxu54ere6zce.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WallpaperStyle = "10"	WellPlayed.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD\ = "txdM9F1WD"	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon\ = "C:\\ProgramData\\txdM9F1WD.ico"	WellPlayed.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
3936	WellPlayed.exe
4144	ONENOTE.EXE
4144	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp
1308	97BD.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeDebugPrivilege	3936	WellPlayed.exe
Token: 36	3936	WellPlayed.exe
Token: SeImpersonatePrivilege	3936	WellPlayed.exe
Token: SeIncBasePriorityPrivilege	3936	WellPlayed.exe
Token: SeIncreaseQuotaPrivilege	3936	WellPlayed.exe
Token: 33	3936	WellPlayed.exe
Token: SeManageVolumePrivilege	3936	WellPlayed.exe
Token: SeProfSingleProcessPrivilege	3936	WellPlayed.exe
Token: SeRestorePrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSystemProfilePrivilege	3936	WellPlayed.exe
Token: SeTakeOwnershipPrivilege	3936	WellPlayed.exe
Token: SeShutdownPrivilege	3936	WellPlayed.exe
Token: SeDebugPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeBackupPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe
Token: SeSecurityPrivilege	3936	WellPlayed.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE
4144	ONENOTE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 192	3936	WellPlayed.exe	78
PID 3936 wrote to memory of 192	3936	WellPlayed.exe	78
PID 3936 wrote to memory of 1308	3936	WellPlayed.exe	80
PID 3936 wrote to memory of 1308	3936	WellPlayed.exe	80
PID 3936 wrote to memory of 1308	3936	WellPlayed.exe	80
PID 3936 wrote to memory of 1308	3936	WellPlayed.exe	80
PID 2288 wrote to memory of 4144	2288	printfilterpipelinesvc.exe	81
PID 2288 wrote to memory of 4144	2288	printfilterpipelinesvc.exe	81

C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe
"C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:192
- C:\ProgramData\97BD.tmp
  "C:\ProgramData\97BD.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:1724

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5FCD73BF-F667-4983-B9AB-285B4F7674B0}.xps" 133660308952860000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini

Filesize
129B

MD5
f3494febf3388b61e202a4401fa04f57

SHA1
db023a079697c6d679709c06758ac2cb6c965e9d

SHA256
54e604468e493c845cb78118db25d2c4b30302b541dcc6bce18b1e1f16cc2d06

SHA512
320d3fd6ab45d88b51b129e48901a1751278cbdf1e9b35a3d4a4acdcf395e29fa82aa8ca986cebbc955c00036be09e20bbd32d984de83ad907f136440bc8c7f5

Download Submit
C:\ProgramData\97BD.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEE

Filesize
145KB

MD5
a608d06a54556b4ad30f3400c177619b

SHA1
12b9e06755e162c6617d6f131266a770b2b81e60

SHA256
5aabfe4af5d4c38e58b7ee399f1dbb38c8e98d18fae1625cdb0d9296b0bb55c4

SHA512
c6841fff809a970e64d3073a5de2da4003b266e0f61a8d67f15faba8ab3cf4d7893a1b6fefd083d0eec39ace26f5745bcf4706bf986596eab13ea1654fd58f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E92FF19B-997E-41D2-845D-83A1CE02869E}

Filesize
4KB

MD5
4f616bd2f79b64eb1bc482f7dc64f0da

SHA1
f59bd93be6f1b0324788d3c88e15cc336d291f77

SHA256
2d540f68852849eec35060653ce1ba89bb9e47ceff57cec462c76c5e3d7209bb

SHA512
533d599be5b6728ac52addf5ca3d1686eba06e70d601d3ae4ffa3af3d0be2178fe05e5d5702bf5479d0b701e90d5773d8bcb48a0bd4fc803585ffd0cc448d1f6

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
1cc2d6f20139f8284b225a20ff241df7

SHA1
eeb1c2f8ee9653879bccb86e1972cbf468b407a6

SHA256
6320ab497aef56489e56b273596c08bc6e5b4e236be0ace1a09d5399fab0ff16

SHA512
1ab5ea74bf11032892cec58712c898d77950965a00b43dab69aec4802d87e4bd1c41eec565cdae4150cccd17e31f4fbda46c331a7c9450202e143de9e8dfed8a

Download Submit
C:\txdM9F1WD.README.txt

Filesize
27B

MD5
734928ecdc131bc5f8de15316a4a3c36

SHA1
99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

SHA256
5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

SHA512
e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1687926120-3022217735-1146543763-1000\DDDDDDDDDDD

Filesize
129B

MD5
3174675cccef8a764f8ae1906a129742

SHA1
a2aeab8ea6178e4cf9bb3e0311929f5174d8f40e

SHA256
6052ea8423f10482fa20eb87334cbd3d54eb554bba3d2924de302f3a3441d930

SHA512
6f0b1d48602dc11f325cc9fe4adf939d8a643d66c3a8c26f1ed453d1a47450569ba778a4d11c21da4c29e6ac74426589eb2b1244ebc73a9dadabca00ca10eee1

Download Submit
memory/1724-2908-0x0000023C52ED0000-0x0000023C52ED1000-memory.dmp

Filesize
4KB

Download
memory/1724-2906-0x0000023C52D90000-0x0000023C52D91000-memory.dmp

Filesize
4KB

Download
memory/1724-2909-0x0000023C52EF0000-0x0000023C52EF1000-memory.dmp

Filesize
4KB

Download
memory/1724-2893-0x0000023C4E0C0000-0x0000023C4E0D0000-memory.dmp

Filesize
64KB

Download
memory/1724-2897-0x0000023C4E390000-0x0000023C4E3A0000-memory.dmp

Filesize
64KB

Download
memory/1724-2904-0x0000023C4E7D0000-0x0000023C4E7D1000-memory.dmp

Filesize
4KB

Download
memory/3936-0-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/3936-2-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/3936-1-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/4144-2945-0x00007FFB420E0000-0x00007FFB420F0000-memory.dmp

Filesize
64KB

Download
memory/4144-2932-0x00007FFB420E0000-0x00007FFB420F0000-memory.dmp

Filesize
64KB

Download
memory/4144-2959-0x00007FFB3E930000-0x00007FFB3E940000-memory.dmp

Filesize
64KB

Download
memory/4144-2960-0x00007FFB3E930000-0x00007FFB3E940000-memory.dmp

Filesize
64KB

Download
memory/4144-2947-0x00007FFB420E0000-0x00007FFB420F0000-memory.dmp

Filesize
64KB

Download
memory/4144-2941-0x00007FFB420E0000-0x00007FFB420F0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads