Malware Analysis Report

2024-10-18 21:36

Sample ID 240724-vx83ca1erf
Target play.exe
SHA256 bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
Tags
ransomware play discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Threat Level: Known bad

The file play.exe was found to be: Known bad.

Malicious Activity Summary

ransomware play discovery

Play family

Play ransomware payload

PLAY Ransomware, PlayCrypt

Renames multiple (191) files with added filename extension

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 17:23

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 17:23

Reported

2024-07-24 17:24

Platform

win10-20240404-en

Max time kernel

20s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\play.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (191) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\play.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\play.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\en-US\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\play.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\play.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\play.exe

"C:\Users\Admin\AppData\Local\Temp\play.exe"

Network

N/A

Files

memory/1516-0-0x0000000000380000-0x00000000003AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini

MD5 b0e9b1224bc7dc78cb2421238360b6c4
SHA1 ee3934c0924957a1f585af437fc985276e6a3817
SHA256 bf3e8f46aac69d8bf0ad716fe3c6430518d4518b432d3e6c3da9453af55faf40
SHA512 3d8a106b3cfc138d70c1748b6b6f01ea6e01667d134a490d077a0b991df30a98406ca8abd9258bc6d50e98d70f6f40d15234d67c36f49454c725587ade259e63