Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:29
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.14.vir.exe
Resource
win7v200430
General
-
Target
pandabanker_2.2.14.vir.exe
-
Size
386KB
-
MD5
3453925306c0f929dc8d2ae529cac793
-
SHA1
9bd2acbaa355e5bab33e0e8a112a24da3e623f19
-
SHA256
e8012d5c00deb0a3684d7767de19e4dea2ff536060fe5671393252152b0b1d8f
-
SHA512
57e0b40d6f0584dc72b7a5bed7966ee2d7114e33c4284a92f1af70b4a99e9630b02fbddc58c066eb05b809c9d3905d0101242bd73eb49987f4eb967b21bfe957
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.2.14.vir.exepid process 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe 972 pandabanker_2.2.14.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.14.vir.exewebappsstore.exedescription pid process target process PID 972 wrote to memory of 1868 972 pandabanker_2.2.14.vir.exe webappsstore.exe PID 972 wrote to memory of 1868 972 pandabanker_2.2.14.vir.exe webappsstore.exe PID 972 wrote to memory of 1868 972 pandabanker_2.2.14.vir.exe webappsstore.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2192 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 1868 wrote to memory of 2540 1868 webappsstore.exe svchost.exe PID 972 wrote to memory of 2788 972 pandabanker_2.2.14.vir.exe cmd.exe PID 972 wrote to memory of 2788 972 pandabanker_2.2.14.vir.exe cmd.exe PID 972 wrote to memory of 2788 972 pandabanker_2.2.14.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
webappsstore.exepid process 1868 webappsstore.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.14.vir.exedescription pid process Token: SeSecurityPrivilege 972 pandabanker_2.2.14.vir.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.14.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.14.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.14.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.2.14.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.14.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.14.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.14.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\webappsstore.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\webappsstore.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updf583c4e3.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updf583c4e3.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\webappsstore.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\webappsstore.exe
-
memory/1868-0-0x0000000000000000-mapping.dmp
-
memory/2192-3-0x0000000000000000-mapping.dmp
-
memory/2540-4-0x0000000000000000-mapping.dmp
-
memory/2788-5-0x0000000000000000-mapping.dmp