Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:52
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.2.vir.exe
Resource
win7
General
-
Target
pandabanker_2.2.2.vir.exe
-
Size
330KB
-
MD5
89a27b8f3355933e99bb47083aba9744
-
SHA1
44be1e76b73faa435d43f387940f15c63cc636a1
-
SHA256
a6214596a7509e1456c46502e83032adf2ca9480a0fe29403dee24094e04df67
-
SHA512
f28a7e60047298f0281c130f1c90b766495767300f221ad67e27cb7f0d1f694c0d36e9ea074e672564e91c8707baeb51e53f980c456accc14f9c455fcd27f9f1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Desktop.exepid process 1848 Desktop.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
pandabanker_2.2.2.vir.exepid process 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe 1768 pandabanker_2.2.2.vir.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pandabanker_2.2.2.vir.exedescription pid process Token: SeSecurityPrivilege 1768 pandabanker_2.2.2.vir.exe Token: SeSecurityPrivilege 1768 pandabanker_2.2.2.vir.exe Token: SeSecurityPrivilege 1768 pandabanker_2.2.2.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.2.2.vir.exepid process 1768 pandabanker_2.2.2.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.2.2.vir.exeDesktop.exedescription pid process target process PID 1768 wrote to memory of 1848 1768 pandabanker_2.2.2.vir.exe Desktop.exe PID 1768 wrote to memory of 1848 1768 pandabanker_2.2.2.vir.exe Desktop.exe PID 1768 wrote to memory of 1848 1768 pandabanker_2.2.2.vir.exe Desktop.exe PID 1768 wrote to memory of 1848 1768 pandabanker_2.2.2.vir.exe Desktop.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 1948 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1848 wrote to memory of 2012 1848 Desktop.exe svchost.exe PID 1768 wrote to memory of 1144 1768 pandabanker_2.2.2.vir.exe cmd.exe PID 1768 wrote to memory of 1144 1768 pandabanker_2.2.2.vir.exe cmd.exe PID 1768 wrote to memory of 1144 1768 pandabanker_2.2.2.vir.exe cmd.exe PID 1768 wrote to memory of 1144 1768 pandabanker_2.2.2.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1144 cmd.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.2.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.2.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.2.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.2.2.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.2.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.2.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\datareporting\archived\2020-06\Desktop.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\datareporting\archived\2020-06\Desktop.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd17dd8abc.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd17dd8abc.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\datareporting\archived\2020-06\Desktop.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\datareporting\archived\2020-06\Desktop.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\datareporting\archived\2020-06\Desktop.exe
-
memory/1144-6-0x0000000000000000-mapping.dmp
-
memory/1848-1-0x0000000000000000-mapping.dmp
-
memory/1948-4-0x0000000000000000-mapping.dmp
-
memory/2012-5-0x0000000000000000-mapping.dmp