Analysis
-
max time kernel
151s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.8.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.2.8.vir.exe
Resource
win10
General
-
Target
pandabanker_2.2.8.vir.exe
-
Size
231KB
-
MD5
dd6a9f311d3bd02e71a3b2f2e9edf616
-
SHA1
ff3d6bb29c56dbcb45daaa7dc6fff79829c94fbf
-
SHA256
4352a4309cb454aa6ba59932456f32dbfee4b0b5d998d954518dcff43ff8281b
-
SHA512
0a47e1e193c74d2b7c57b6c3745d2f535cae6bf33d55958b953911616b50df2e0285925589d2515bf36baa98b6526885bf8827c0e2558c2f2061e9981f8eafea
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 180 IoCs
Processes:
pandabanker_2.2.8.vir.exesvchost.exepid process 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 1500 pandabanker_2.2.8.vir.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe 528 svchost.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.8.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.8.vir.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.2.8.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\StepRename.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\StepRename.exe\"" svchost.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.8.vir.exedescription pid process Token: SeSecurityPrivilege 1500 pandabanker_2.2.8.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.2.8.vir.exepid process 1500 pandabanker_2.2.8.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.2.8.vir.exeStepRename.exedescription pid process target process PID 1500 wrote to memory of 476 1500 pandabanker_2.2.8.vir.exe StepRename.exe PID 1500 wrote to memory of 476 1500 pandabanker_2.2.8.vir.exe StepRename.exe PID 1500 wrote to memory of 476 1500 pandabanker_2.2.8.vir.exe StepRename.exe PID 1500 wrote to memory of 476 1500 pandabanker_2.2.8.vir.exe StepRename.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 528 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 476 wrote to memory of 452 476 StepRename.exe svchost.exe PID 1500 wrote to memory of 1096 1500 pandabanker_2.2.8.vir.exe cmd.exe PID 1500 wrote to memory of 1096 1500 pandabanker_2.2.8.vir.exe cmd.exe PID 1500 wrote to memory of 1096 1500 pandabanker_2.2.8.vir.exe cmd.exe PID 1500 wrote to memory of 1096 1500 pandabanker_2.2.8.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
StepRename.exepid process 476 StepRename.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.8.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.8.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.8.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.8.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\StepRename.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\StepRename.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd59008f79.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd59008f79.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\StepRename.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\StepRename.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\StepRename.exe
-
memory/452-5-0x0000000000000000-mapping.dmp
-
memory/476-1-0x0000000000000000-mapping.dmp
-
memory/528-4-0x0000000000000000-mapping.dmp
-
memory/1096-6-0x0000000000000000-mapping.dmp