Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:40
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.6.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.5.6.vir.exe
Resource
win10
General
-
Target
pandabanker_2.5.6.vir.exe
-
Size
333KB
-
MD5
5f4ddfe85a833c8b94fab8ab4c9e8fcd
-
SHA1
f47b802940ffb8a23b5fa51da2868ecbeabf4dad
-
SHA256
ae96dbb67a548c38a292255130c47b99ec028e6afa228d62980a03ba9d7f03b0
-
SHA512
70f4babdf85b964d088c9142a0bec51cc6ec6d275597c7bef3133354d338dcc9922555fa560443a9e6d6c07cf20bb1634f5370ec4d1b9b12b7e487bfa0d0e0e1
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.5.6.vir.exepid process 1668 pandabanker_2.5.6.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.5.6.vir.exeOptimizeDeny.exedescription pid process target process PID 1668 wrote to memory of 1292 1668 pandabanker_2.5.6.vir.exe OptimizeDeny.exe PID 1668 wrote to memory of 1292 1668 pandabanker_2.5.6.vir.exe OptimizeDeny.exe PID 1668 wrote to memory of 1292 1668 pandabanker_2.5.6.vir.exe OptimizeDeny.exe PID 1668 wrote to memory of 1292 1668 pandabanker_2.5.6.vir.exe OptimizeDeny.exe PID 1668 wrote to memory of 1768 1668 pandabanker_2.5.6.vir.exe cmd.exe PID 1668 wrote to memory of 1768 1668 pandabanker_2.5.6.vir.exe cmd.exe PID 1668 wrote to memory of 1768 1668 pandabanker_2.5.6.vir.exe cmd.exe PID 1668 wrote to memory of 1768 1668 pandabanker_2.5.6.vir.exe cmd.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1120 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe PID 1292 wrote to memory of 1740 1292 OptimizeDeny.exe svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1768 cmd.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.6.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.5.6.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.5.6.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\OptimizeDeny.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\OptimizeDeny.exe\"" svchost.exe -
Suspicious behavior: EnumeratesProcesses 96 IoCs
Processes:
pandabanker_2.5.6.vir.exesvchost.exepid process 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1668 pandabanker_2.5.6.vir.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
OptimizeDeny.exepid process 1292 OptimizeDeny.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
pandabanker_2.5.6.vir.exeOptimizeDeny.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 1668 pandabanker_2.5.6.vir.exe Token: SeSecurityPrivilege 1292 OptimizeDeny.exe Token: SeSecurityPrivilege 1292 OptimizeDeny.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1740 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe Token: SeSecurityPrivilege 1120 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.6.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\OptimizeDeny.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\OptimizeDeny.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd6da18749.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd6da18749.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\1451318868ntouromlalnodry--epcr.neb
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\1451318868ntouromlalnodry--epcr.neb
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\1451318868ntouromlalnodry--epcr.neb
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\OptimizeDeny.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\OptimizeDeny.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\OptimizeDeny.exe
-
memory/1120-6-0x0000000000000000-mapping.dmp
-
memory/1292-1-0x0000000000000000-mapping.dmp
-
memory/1740-8-0x0000000000000000-mapping.dmp
-
memory/1768-4-0x0000000000000000-mapping.dmp