Analysis
-
max time kernel
150s -
max time network
69s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.2.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.2.vir.exe
Resource
win10
General
-
Target
pandabanker_2.6.2.vir.exe
-
Size
92KB
-
MD5
35759acd799f951b8beef86311bd9b77
-
SHA1
835e0b085afe038d013b2bd1675a1dd6b89c9949
-
SHA256
94c1b963cc2b06ec91490e557ded99ecfc04d336eea26fdb2f4253a0cfa3ed81
-
SHA512
f06c2e33e947b3a24e368b30b9f129007c247b6b08ffe324fb3a34a004e9fa9c9edb426a4cbbd423a76a1eeba054d062d0a8eae87752416987d165bbc6511fa6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
webappsstore.exepid process 1612 webappsstore.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.2.vir.exedescription pid process Token: SeSecurityPrivilege 864 pandabanker_2.6.2.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.6.2.vir.exepid process 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.6.2.vir.exewebappsstore.exedescription pid process target process PID 864 wrote to memory of 1612 864 pandabanker_2.6.2.vir.exe webappsstore.exe PID 864 wrote to memory of 1612 864 pandabanker_2.6.2.vir.exe webappsstore.exe PID 864 wrote to memory of 1612 864 pandabanker_2.6.2.vir.exe webappsstore.exe PID 864 wrote to memory of 1612 864 pandabanker_2.6.2.vir.exe webappsstore.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 304 1612 webappsstore.exe svchost.exe PID 864 wrote to memory of 1068 864 pandabanker_2.6.2.vir.exe cmd.exe PID 864 wrote to memory of 1068 864 pandabanker_2.6.2.vir.exe cmd.exe PID 864 wrote to memory of 1068 864 pandabanker_2.6.2.vir.exe cmd.exe PID 864 wrote to memory of 1068 864 pandabanker_2.6.2.vir.exe cmd.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe PID 1612 wrote to memory of 1404 1612 webappsstore.exe svchost.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.2.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.6.2.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.6.2.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\webappsstore.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\webappsstore.exe\"" svchost.exe -
Suspicious behavior: EnumeratesProcesses 306 IoCs
Processes:
pandabanker_2.6.2.vir.exesvchost.exesvchost.exepid process 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 864 pandabanker_2.6.2.vir.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe 1404 svchost.exe 1404 svchost.exe 304 svchost.exe 304 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.2.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd3aa404e7.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd3aa404e7.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
memory/304-5-0x0000000000000000-mapping.dmp
-
memory/1068-6-0x0000000000000000-mapping.dmp
-
memory/1404-7-0x0000000000000000-mapping.dmp
-
memory/1612-2-0x0000000000000000-mapping.dmp