bf5cbed1becff9f0cdb1061dbddf7ed6d85d43d70edf91206d769151eb4e741f

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Play Cabal EP31 V.10/Play Cabal Ep31.exe
Size

7.6MB
MD5

a2926fd8f6952e887e1590eceb043c5d
SHA1

6b625785bb7e0b1afb27a5d106c425786866b32c
SHA256

fb602334941aded7a45ac2bf03ba3db9fa1634c97b921c5bbba9b59034bfa212
SHA512

04a3837593446e437c95afdd3a519e65cde76c7cd86e7967b0611b6f21069ca597f95713e0a4745c586dd5c59f5bf5cdc303c11019a3e9ee2c7e6b46687b71e9
SSDEEP

196608:DIWvJO35a/qKVnvuvo+qndPAKVnvWjtsXbZkL:DIWxyyvco+6Iyv8tc

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Play Cabal Ep31.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Play Cabal Ep31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Play Cabal Ep31.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	Play Cabal Ep31.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3328	Play Cabal Ep31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe
3328	Play Cabal Ep31.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	Play Cabal Ep31.exe

C:\Users\Admin\AppData\Local\Temp\Play Cabal EP31 V.10\Play Cabal Ep31.exe
"C:\Users\Admin\AppData\Local\Temp\Play Cabal EP31 V.10\Play Cabal Ep31.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3328-0-0x0000000000720000-0x00000000017F6000-memory.dmp

Filesize
16.8MB

Download
memory/3328-1-0x0000000000720000-0x00000000017F6000-memory.dmp

Filesize
16.8MB

Download
memory/3328-2-0x0000000000720000-0x00000000017F6000-memory.dmp

Filesize
16.8MB

Download
memory/3328-3-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/3328-4-0x0000000008320000-0x00000000083B2000-memory.dmp

Filesize
584KB

Download
memory/3328-5-0x00000000084C0000-0x000000000855C000-memory.dmp

Filesize
624KB

Download
memory/3328-6-0x00000000082E0000-0x00000000082EA000-memory.dmp

Filesize
40KB

Download
memory/3328-7-0x000000000A620000-0x000000000A660000-memory.dmp

Filesize
256KB

Download
memory/3328-8-0x000000000A6D0000-0x000000000A736000-memory.dmp

Filesize
408KB

Download
memory/3328-11-0x0000000000720000-0x00000000017F6000-memory.dmp

Filesize
16.8MB

Download