Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.4.vir.exe
Resource
win7
General
-
Target
pandabanker_2.2.4.vir.exe
-
Size
121KB
-
MD5
233416e0ab343dfb8901cb23f3057446
-
SHA1
ce26ebb2070d5e0ec55f055fdafadf823979b4e7
-
SHA256
e4943560d76692bfd6d1e9982e717f8ae79b1577fff1d943c9aaa3d5e2f06fde
-
SHA512
c509467233dee26ce6b53e7b3665d6f85c4e8c172d062b7afe932a3a565ab9740e1ee7b9e4be71b43283495edb2a77f93dd98bc02c4aaebd97fd3c9bbc61a1ef
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.4.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.4.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.4.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.2.4.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.4.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.4.vir.exeSkipExit.exedescription pid process target process PID 3676 wrote to memory of 3892 3676 pandabanker_2.2.4.vir.exe SkipExit.exe PID 3676 wrote to memory of 3892 3676 pandabanker_2.2.4.vir.exe SkipExit.exe PID 3676 wrote to memory of 3892 3676 pandabanker_2.2.4.vir.exe SkipExit.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 4044 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3892 wrote to memory of 3856 3892 SkipExit.exe svchost.exe PID 3676 wrote to memory of 3928 3676 pandabanker_2.2.4.vir.exe cmd.exe PID 3676 wrote to memory of 3928 3676 pandabanker_2.2.4.vir.exe cmd.exe PID 3676 wrote to memory of 3928 3676 pandabanker_2.2.4.vir.exe cmd.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
pandabanker_2.2.4.vir.exeSkipExit.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 3676 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 3676 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 3676 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 3676 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 3676 pandabanker_2.2.4.vir.exe Token: SeSecurityPrivilege 3892 SkipExit.exe Token: SeSecurityPrivilege 3892 SkipExit.exe Token: SeSecurityPrivilege 3892 SkipExit.exe Token: SeSecurityPrivilege 3892 SkipExit.exe Token: SeSecurityPrivilege 3892 SkipExit.exe Token: SeSecurityPrivilege 4044 svchost.exe Token: SeSecurityPrivilege 4044 svchost.exe Token: SeSecurityPrivilege 4044 svchost.exe Token: SeSecurityPrivilege 4044 svchost.exe Token: SeSecurityPrivilege 3856 svchost.exe Token: SeSecurityPrivilege 3856 svchost.exe Token: SeSecurityPrivilege 3856 svchost.exe Token: SeSecurityPrivilege 3856 svchost.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.2.4.vir.exepid process 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe 3676 pandabanker_2.2.4.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
SkipExit.exepid process 3892 SkipExit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.4.vir.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\SkipExit.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\SkipExit.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd8e9062a6.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd8e9062a6.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\1657114595AmcateirvtiSty.ysu
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\1657114595AmcateirvtiSty.ysu
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\SkipExit.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\SkipExit.exe
-
memory/3856-5-0x0000000000000000-mapping.dmp
-
memory/3892-0-0x0000000000000000-mapping.dmp
-
memory/3928-7-0x0000000000000000-mapping.dmp
-
memory/4044-3-0x0000000000000000-mapping.dmp