Analysis
-
max time kernel
53s -
max time network
12s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.4.vir.exe
Resource
win7
General
-
Target
pandabanker_2.2.4.vir.exe
-
Size
121KB
-
MD5
233416e0ab343dfb8901cb23f3057446
-
SHA1
ce26ebb2070d5e0ec55f055fdafadf823979b4e7
-
SHA256
e4943560d76692bfd6d1e9982e717f8ae79b1577fff1d943c9aaa3d5e2f06fde
-
SHA512
c509467233dee26ce6b53e7b3665d6f85c4e8c172d062b7afe932a3a565ab9740e1ee7b9e4be71b43283495edb2a77f93dd98bc02c4aaebd97fd3c9bbc61a1ef
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.4.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.4.vir.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
pandabanker_2.2.4.vir.exeinstalls.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 1156 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 1156 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 1156 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 1156 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 1156 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 1196 installs.exe Token: SeSecurityPrivilege 1196 installs.exe Token: SeSecurityPrivilege 1196 installs.exe Token: SeSecurityPrivilege 1196 installs.exe Token: SeSecurityPrivilege 1196 installs.exe Token: SeSecurityPrivilege 1332 svchost.exe Token: SeSecurityPrivilege 1332 svchost.exe Token: SeSecurityPrivilege 1332 svchost.exe Token: SeSecurityPrivilege 1332 svchost.exe Token: SeSecurityPrivilege 1448 svchost.exe Token: SeSecurityPrivilege 1448 svchost.exe Token: SeSecurityPrivilege 1448 svchost.exe Token: SeSecurityPrivilege 1448 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
pandabanker_2.2.4.vir.exeinstalls.exedescription pid process target process PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1156 wrote to memory of 1196 1156 pandabanker_2.2.4.vir.exe installs.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1332 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1196 wrote to memory of 1448 1196 installs.exe svchost.exe PID 1156 wrote to memory of 272 1156 pandabanker_2.2.4.vir.exe cmd.exe PID 1156 wrote to memory of 272 1156 pandabanker_2.2.4.vir.exe cmd.exe PID 1156 wrote to memory of 272 1156 pandabanker_2.2.4.vir.exe cmd.exe PID 1156 wrote to memory of 272 1156 pandabanker_2.2.4.vir.exe cmd.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 272 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VMWare Tools registry key 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.4.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.2.4.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.4.vir.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
pandabanker_2.2.4.vir.exepid process 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe 1156 pandabanker_2.2.4.vir.exe -
Loads dropped DLL 4 IoCs
Processes:
pandabanker_2.2.4.vir.exeinstalls.exepid process 1156 pandabanker_2.2.4.vir.exe 1196 installs.exe 1196 installs.exe 1196 installs.exe -
Executes dropped EXE 1 IoCs
Processes:
installs.exepid process 1196 installs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.4.vir.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updeb2d5049.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updeb2d5049.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\times.nyo
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\times.nyo
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\installs.exe
-
memory/272-11-0x0000000000000000-mapping.dmp
-
memory/1196-1-0x0000000000000000-mapping.dmp
-
memory/1332-7-0x0000000000000000-mapping.dmp
-
memory/1448-9-0x0000000000000000-mapping.dmp