c0bd2850fc1fdafa2cf0768b94076a87f32fc11babfcb034c0f7563a4541ec28

Analysis

max time kernel
168s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Schwab_Desktop_v2.7.exe
Size

401.9MB
MD5

800a60c9de653f119035b42984f47e01
SHA1

95d3c504865aa0c30bb24c4de3a3fc2880a8facc
SHA256

b566086aa3efcbfe88ec27884e365a671c02879166d2b3a5cde186b3d0f951c5
SHA512

0a35c622da1ea03a2021b6b98af9e3b0f48a236684a2e8a74accc1633b976d2fb927e196a763633c83af27a0f1b9e100a9ac5c94975ad410412d7035bab2ba8b
SSDEEP

98304:Jg6OOOW638tFjYat5ddWLdpcXSpThOigPRzRR+JK:FF66FjYaFdWwXSphOig5dR+g

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1812-54-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral1/memory/1812-55-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral1/memory/1812-57-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Schwab_Desktop_v2.7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Schwab_Desktop_v2.7.exe

pid	process
1812	Schwab_Desktop_v2.7.exe
1812	Schwab_Desktop_v2.7.exe
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Schwab_Desktop_v2.7.exe

pid process

1812 Schwab_Desktop_v2.7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1356

description	pid	process
Token: SeShutdownPrivilege	1356

C:\Users\Admin\AppData\Local\Temp\Schwab_Desktop_v2.7.exe
"C:\Users\Admin\AppData\Local\Temp\Schwab_Desktop_v2.7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-54-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/1812-55-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/1812-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1812-57-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads