Analysis
-
max time kernel
168s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 09:44
Behavioral task
behavioral1
Sample
Schwab_Desktop_v2.7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Schwab_Desktop_v2.7.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
langs/Hungarian.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
langs/Hungarian.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
langs/Korean.ps1
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
langs/Korean.ps1
Resource
win10v2004-20220812-en
General
-
Target
Schwab_Desktop_v2.7.exe
-
Size
401.9MB
-
MD5
800a60c9de653f119035b42984f47e01
-
SHA1
95d3c504865aa0c30bb24c4de3a3fc2880a8facc
-
SHA256
b566086aa3efcbfe88ec27884e365a671c02879166d2b3a5cde186b3d0f951c5
-
SHA512
0a35c622da1ea03a2021b6b98af9e3b0f48a236684a2e8a74accc1633b976d2fb927e196a763633c83af27a0f1b9e100a9ac5c94975ad410412d7035bab2ba8b
-
SSDEEP
98304:Jg6OOOW638tFjYat5ddWLdpcXSpThOigPRzRR+JK:FF66FjYaFdWwXSphOig5dR+g
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1812-54-0x0000000000400000-0x00000000009DB000-memory.dmp vmprotect behavioral1/memory/1812-55-0x0000000000400000-0x00000000009DB000-memory.dmp vmprotect behavioral1/memory/1812-57-0x0000000000400000-0x00000000009DB000-memory.dmp vmprotect -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Schwab_Desktop_v2.7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Schwab_Desktop_v2.7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Schwab_Desktop_v2.7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Schwab_Desktop_v2.7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Schwab_Desktop_v2.7.exepid process 1812 Schwab_Desktop_v2.7.exe 1812 Schwab_Desktop_v2.7.exe 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Schwab_Desktop_v2.7.exepid process 1812 Schwab_Desktop_v2.7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1356
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1812-54-0x0000000000400000-0x00000000009DB000-memory.dmpFilesize
5.9MB
-
memory/1812-55-0x0000000000400000-0x00000000009DB000-memory.dmpFilesize
5.9MB
-
memory/1812-56-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1812-57-0x0000000000400000-0x00000000009DB000-memory.dmpFilesize
5.9MB