Analysis
-
max time kernel
74s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.3.3.vir.exe
Resource
win7
General
-
Target
pandabanker_2.3.3.vir.exe
-
Size
356KB
-
MD5
9d9f70a971c3c0c1e445514febb7d694
-
SHA1
7ed971c33f7d7bf7f5ed421bf95b8d0b1b570296
-
SHA256
3bbfbe3de9cb174f9d7c579f5e404482778924df85eb4b9daa03a274fc91eb91
-
SHA512
18bba8cd66823d28501766e226090e7b6fa9b1b963579e187842114f7b36c96b0645082e1d5f6e380a9669651132450cccfcfb4b8aaa112ae42285b324998d80
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.3.3.vir.exedescription pid process Token: SeSecurityPrivilege 3700 pandabanker_2.3.3.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.3.3.vir.exeprofiles.exedescription pid process target process PID 3700 wrote to memory of 2308 3700 pandabanker_2.3.3.vir.exe profiles.exe PID 3700 wrote to memory of 2308 3700 pandabanker_2.3.3.vir.exe profiles.exe PID 3700 wrote to memory of 2308 3700 pandabanker_2.3.3.vir.exe profiles.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 2548 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 2308 wrote to memory of 3844 2308 profiles.exe svchost.exe PID 3700 wrote to memory of 3804 3700 pandabanker_2.3.3.vir.exe cmd.exe PID 3700 wrote to memory of 3804 3700 pandabanker_2.3.3.vir.exe cmd.exe PID 3700 wrote to memory of 3804 3700 pandabanker_2.3.3.vir.exe cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.3.3.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.3.3.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.3.3.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.3.3.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.3.3.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.3.3.vir.exepid process 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe 3700 pandabanker_2.3.3.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
profiles.exepid process 2308 profiles.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.3.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\profiles.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\profiles.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd736f0a5d.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd736f0a5d.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\profiles.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\profiles.exe
-
memory/2308-0-0x0000000000000000-mapping.dmp
-
memory/2548-3-0x0000000000000000-mapping.dmp
-
memory/3804-5-0x0000000000000000-mapping.dmp
-
memory/3844-4-0x0000000000000000-mapping.dmp