Analysis
W32/Filecoder.PLAY!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/Filecoder.PLAY!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the PLAY ransomware family.
- Upon execution, this ransomware will traverse through the victim's system to encrypt select files, such as personal and operational files. It will then append the encrypted files
with the extenstion ".PLAY". A ransom note will be dropped in the root directory (C:\) with the name "ReadMe.txt". The ransom note contains the word "PLAY" and an email address
as a way of making contact with the attackers. Affected users are discouraged on contacting the attackers as it does not guarantee the retrieval of data upon payment.
- To see the complete behavior of the malware, the file needs to be run as administrator.
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2022-41080
Below are images of the ransomware:
- Figure 1: Encrypted files.
|
Following are some of the exact IOCs/file hashes associated with this detection:
- Md5: 410bbbe373418607d58846b6fe2c05be
Sha256: 3e6317229d122073f57264d6f69ae3e145decad3666ddad8173c942e80588e69
- Md5: 0f8ad126812dc650f26b5739590b8ab8
Sha256: e641b622b1f180fe189e3f39b3466b16ca5040b5a1869e5d30c92cca5727d3f0
- Md5: 818720aea07663ffb451f73917ba58da
Sha256: 608e2b023dc8f7e02ae2000fc7dbfc24e47807d1e4264cbd6bb5839c81f91934
- Md5: 20963a476928f3aad040affc4980e5f5
Sha256: f6072ff57c1cfe74b88f521d70c524bcbbb60c561705e9febe033f51131be408
- Md5: b311256c0b964724258078affce39f01
Sha256: 5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5