Analysis
-
max time kernel
59s -
max time network
6s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.3.3.vir.exe
Resource
win7
General
-
Target
pandabanker_2.3.3.vir.exe
-
Size
356KB
-
MD5
9d9f70a971c3c0c1e445514febb7d694
-
SHA1
7ed971c33f7d7bf7f5ed421bf95b8d0b1b570296
-
SHA256
3bbfbe3de9cb174f9d7c579f5e404482778924df85eb4b9daa03a274fc91eb91
-
SHA512
18bba8cd66823d28501766e226090e7b6fa9b1b963579e187842114f7b36c96b0645082e1d5f6e380a9669651132450cccfcfb4b8aaa112ae42285b324998d80
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.3.3.vir.exedescription pid process Token: SeSecurityPrivilege 1492 pandabanker_2.3.3.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.3.3.vir.exepid process 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.3.3.vir.execert9.exedescription pid process target process PID 1492 wrote to memory of 276 1492 pandabanker_2.3.3.vir.exe cert9.exe PID 1492 wrote to memory of 276 1492 pandabanker_2.3.3.vir.exe cert9.exe PID 1492 wrote to memory of 276 1492 pandabanker_2.3.3.vir.exe cert9.exe PID 1492 wrote to memory of 276 1492 pandabanker_2.3.3.vir.exe cert9.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 792 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 276 wrote to memory of 556 276 cert9.exe svchost.exe PID 1492 wrote to memory of 1032 1492 pandabanker_2.3.3.vir.exe cmd.exe PID 1492 wrote to memory of 1032 1492 pandabanker_2.3.3.vir.exe cmd.exe PID 1492 wrote to memory of 1032 1492 pandabanker_2.3.3.vir.exe cmd.exe PID 1492 wrote to memory of 1032 1492 pandabanker_2.3.3.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
cert9.exepid process 276 cert9.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.3.3.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.3.3.vir.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
pandabanker_2.3.3.vir.exepid process 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe 1492 pandabanker_2.3.3.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.3.3.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.3.3.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.3.3.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.3.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upde0bb5eb8.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upde0bb5eb8.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cert9.exe
-
memory/276-2-0x0000000000000000-mapping.dmp
-
memory/556-6-0x0000000000000000-mapping.dmp
-
memory/792-5-0x0000000000000000-mapping.dmp
-
memory/1032-7-0x0000000000000000-mapping.dmp