Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.8.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.2.8.vir.exe
Resource
win10
General
-
Target
pandabanker_2.2.8.vir.exe
-
Size
231KB
-
MD5
dd6a9f311d3bd02e71a3b2f2e9edf616
-
SHA1
ff3d6bb29c56dbcb45daaa7dc6fff79829c94fbf
-
SHA256
4352a4309cb454aa6ba59932456f32dbfee4b0b5d998d954518dcff43ff8281b
-
SHA512
0a47e1e193c74d2b7c57b6c3745d2f535cae6bf33d55958b953911616b50df2e0285925589d2515bf36baa98b6526885bf8827c0e2558c2f2061e9981f8eafea
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.8.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.8.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.8.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.2.8.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.8.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\StepRegister.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\StepRegister.exe" svchost.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
StepRegister.exepid process 3956 StepRegister.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.8.vir.exeStepRegister.exedescription pid process target process PID 3676 wrote to memory of 3956 3676 pandabanker_2.2.8.vir.exe StepRegister.exe PID 3676 wrote to memory of 3956 3676 pandabanker_2.2.8.vir.exe StepRegister.exe PID 3676 wrote to memory of 3956 3676 pandabanker_2.2.8.vir.exe StepRegister.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3832 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3956 wrote to memory of 3852 3956 StepRegister.exe svchost.exe PID 3676 wrote to memory of 3916 3676 pandabanker_2.2.8.vir.exe cmd.exe PID 3676 wrote to memory of 3916 3676 pandabanker_2.2.8.vir.exe cmd.exe PID 3676 wrote to memory of 3916 3676 pandabanker_2.2.8.vir.exe cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 190 IoCs
Processes:
pandabanker_2.2.8.vir.exesvchost.exepid process 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3676 pandabanker_2.2.8.vir.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.8.vir.exedescription pid process Token: SeSecurityPrivilege 3676 pandabanker_2.2.8.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.8.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.8.vir.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\StepRegister.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\StepRegister.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd904d6f6d.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd904d6f6d.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\StepRegister.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\StepRegister.exe
-
memory/3832-3-0x0000000000000000-mapping.dmp
-
memory/3852-4-0x0000000000000000-mapping.dmp
-
memory/3916-5-0x0000000000000000-mapping.dmp
-
memory/3956-0-0x0000000000000000-mapping.dmp