Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:40
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.6.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.5.6.vir.exe
Resource
win10
General
-
Target
pandabanker_2.5.6.vir.exe
-
Size
333KB
-
MD5
5f4ddfe85a833c8b94fab8ab4c9e8fcd
-
SHA1
f47b802940ffb8a23b5fa51da2868ecbeabf4dad
-
SHA256
ae96dbb67a548c38a292255130c47b99ec028e6afa228d62980a03ba9d7f03b0
-
SHA512
70f4babdf85b964d088c9142a0bec51cc6ec6d275597c7bef3133354d338dcc9922555fa560443a9e6d6c07cf20bb1634f5370ec4d1b9b12b7e487bfa0d0e0e1
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.5.6.vir.exexulstore.exedescription pid process target process PID 3856 wrote to memory of 4076 3856 pandabanker_2.5.6.vir.exe xulstore.exe PID 3856 wrote to memory of 4076 3856 pandabanker_2.5.6.vir.exe xulstore.exe PID 3856 wrote to memory of 4076 3856 pandabanker_2.5.6.vir.exe xulstore.exe PID 3856 wrote to memory of 3852 3856 pandabanker_2.5.6.vir.exe cmd.exe PID 3856 wrote to memory of 3852 3856 pandabanker_2.5.6.vir.exe cmd.exe PID 3856 wrote to memory of 3852 3856 pandabanker_2.5.6.vir.exe cmd.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1220 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe PID 4076 wrote to memory of 1512 4076 xulstore.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
xulstore.exepid process 4076 xulstore.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.6.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.5.6.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.5.6.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\xulstore.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\xulstore.exe" svchost.exe -
Suspicious behavior: EnumeratesProcesses 106 IoCs
Processes:
pandabanker_2.5.6.vir.exesvchost.exepid process 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 3856 pandabanker_2.5.6.vir.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
pandabanker_2.5.6.vir.exexulstore.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 3856 pandabanker_2.5.6.vir.exe Token: SeSecurityPrivilege 4076 xulstore.exe Token: SeSecurityPrivilege 4076 xulstore.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1512 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe Token: SeSecurityPrivilege 1220 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.6.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\xulstore.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\xulstore.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updd61d3314.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updd61d3314.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\compatibility.wuu
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\compatibility.wuu
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\compatibility.wuu
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\xulstore.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\xulstore.exe
-
memory/1220-5-0x0000000000000000-mapping.dmp
-
memory/1512-7-0x0000000000000000-mapping.dmp
-
memory/3852-3-0x0000000000000000-mapping.dmp
-
memory/4076-0-0x0000000000000000-mapping.dmp