Overview

overview

10

Static

static

3

f741b66592...02.exe

windows7-x64

10

f741b66592...02.exe

windows10-2004-x64

10

Resubmissions

25/07/2024, 14:12 UTC

240725-rh7dessgkl 10

07/07/2024, 09:11 UTC

240707-k5yaps1bpa 10

Analysis

  • max time kernel
    87s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 14:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402.exe

  • Size

    326KB

  • MD5

    f088b0524afae3a92f571c4cc390d064

  • SHA1

    4945a0a0f226aac22992e4960d1f764904c509d2

  • SHA256

    f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402

  • SHA512

    b41b13f7c3b8679371f1effbdb0f64e9466a549cda4116e058f18892e0883819fa797ac57c1eaad56db4f71dee39fa3ff107d12d656c40005813b1621820057e

  • SSDEEP

    6144:QXqpIW/yoztkBUPeuLWzWDj4IByRuE3AzJNxRbIIJE:qq2W/7RkB6qGKuE6NxBIIJE

Score
10/10
playdiscoveryransomware

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

    ransomwareplay
  • Renames multiple (6112) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402.exe
    "C:\Users\Admin\AppData\Local\Temp\f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3940

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=054842FE992564551EB8563998026546; domain=.bing.com; expires=Tue, 19-Aug-2025 14:12:50 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8BA310F0B65E4B9A9BD6569D2A1181A8 Ref B: LON04EDGE0715 Ref C: 2024-07-25T14:12:50Z
    date: Thu, 25 Jul 2024 14:12:49 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=054842FE992564551EB8563998026546
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=FY50hYu-2B7bJCJpK1jdUzp-kCMgsh0SNGDeF_g47X8; domain=.bing.com; expires=Tue, 19-Aug-2025 14:12:50 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 057603ED5140431399B68162ADDEC68A Ref B: LON04EDGE0715 Ref C: 2024-07-25T14:12:50Z
    date: Thu, 25 Jul 2024 14:12:50 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=054842FE992564551EB8563998026546; MSPTC=FY50hYu-2B7bJCJpK1jdUzp-kCMgsh0SNGDeF_g47X8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AE4106EACA22488FAD4441E1C420F6CC Ref B: LON04EDGE0715 Ref C: 2024-07-25T14:12:50Z
    date: Thu, 25 Jul 2024 14:12:50 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=064f1eab6ee8442d882f393f7bd47a44&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    198 B
     90 B
     3
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    28.118.140.52.in-addr.arpa

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini
    Filesize

    1KB

    MD5

    6cdb037256a20edea95bae5859043786

    SHA1

    a596c1c19508db27e1da02bb932adfd7487046ba

    SHA256

    33237073d15be41104efa2550694144b66703c3119e5e6435c069b9b29c4169f

    SHA512

    a03d8898195b52a95423ed00e358c9343cc02ddb6efc383fd88e119e9adbad23f055006845cce754b6371a1e4c8aa1cba6eca7483535ee25e972822fb0d2ef6c

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini
    Filesize

    1KB

    MD5

    ef0eec446447b37d3ce8751ea382c0ef

    SHA1

    f3839be97a89597c659c9a23ec9c78c2cd08952b

    SHA256

    08bd410e96f09943c2a469cd5c27d444183539f6447fdae8f1327d5221817850

    SHA512

    31c3dea571295c9b52d1df631123ffcefc5d0d03fbfb94c61265eb440a06355df7187463b5dcb3861cb335adc393c662fdced8630aaa1d3fdaef16be747eec7e

    Download Submit

  • memory/3940-0-0x0000000002310000-0x000000000233C000-memory.dmp

    Filesize

    176KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.