Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.2.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.2.vir.exe
Resource
win10
General
-
Target
pandabanker_2.6.2.vir.exe
-
Size
92KB
-
MD5
35759acd799f951b8beef86311bd9b77
-
SHA1
835e0b085afe038d013b2bd1675a1dd6b89c9949
-
SHA256
94c1b963cc2b06ec91490e557ded99ecfc04d336eea26fdb2f4253a0cfa3ed81
-
SHA512
f06c2e33e947b3a24e368b30b9f129007c247b6b08ffe324fb3a34a004e9fa9c9edb426a4cbbd423a76a1eeba054d062d0a8eae87752416987d165bbc6511fa6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
favicons.exepid process 3896 favicons.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\favicons.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\favicons.exe" svchost.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.2.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.6.2.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.6.2.vir.exe -
Suspicious behavior: EnumeratesProcesses 316 IoCs
Processes:
pandabanker_2.6.2.vir.exesvchost.exesvchost.exepid process 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3100 pandabanker_2.6.2.vir.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe 3324 svchost.exe 3324 svchost.exe 3928 svchost.exe 3928 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.2.vir.exedescription pid process Token: SeSecurityPrivilege 3100 pandabanker_2.6.2.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.6.2.vir.exefavicons.exedescription pid process target process PID 3100 wrote to memory of 3896 3100 pandabanker_2.6.2.vir.exe favicons.exe PID 3100 wrote to memory of 3896 3100 pandabanker_2.6.2.vir.exe favicons.exe PID 3100 wrote to memory of 3896 3100 pandabanker_2.6.2.vir.exe favicons.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3100 wrote to memory of 3312 3100 pandabanker_2.6.2.vir.exe cmd.exe PID 3100 wrote to memory of 3312 3100 pandabanker_2.6.2.vir.exe cmd.exe PID 3100 wrote to memory of 3312 3100 pandabanker_2.6.2.vir.exe cmd.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3324 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe PID 3896 wrote to memory of 3928 3896 favicons.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.2.vir.exe"1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\favicons.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\favicons.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd29d8af9b.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd29d8af9b.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\favicons.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\favicons.exe
-
memory/3312-3-0x0000000000000000-mapping.dmp
-
memory/3324-4-0x0000000000000000-mapping.dmp
-
memory/3896-0-0x0000000000000000-mapping.dmp
-
memory/3928-5-0x0000000000000000-mapping.dmp