Analysis
-
max time kernel
138s -
max time network
48s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:52
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.2.vir.exe
Resource
win7
General
-
Target
pandabanker_2.2.2.vir.exe
-
Size
330KB
-
MD5
89a27b8f3355933e99bb47083aba9744
-
SHA1
44be1e76b73faa435d43f387940f15c63cc636a1
-
SHA256
a6214596a7509e1456c46502e83032adf2ca9480a0fe29403dee24094e04df67
-
SHA512
f28a7e60047298f0281c130f1c90b766495767300f221ad67e27cb7f0d1f694c0d36e9ea074e672564e91c8707baeb51e53f980c456accc14f9c455fcd27f9f1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.2.2.vir.exepid process 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe 3724 pandabanker_2.2.2.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.2.vir.exePublishExit.exedescription pid process target process PID 3724 wrote to memory of 1280 3724 pandabanker_2.2.2.vir.exe PublishExit.exe PID 3724 wrote to memory of 1280 3724 pandabanker_2.2.2.vir.exe PublishExit.exe PID 3724 wrote to memory of 1280 3724 pandabanker_2.2.2.vir.exe PublishExit.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 1844 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 1280 wrote to memory of 2616 1280 PublishExit.exe svchost.exe PID 3724 wrote to memory of 2784 3724 pandabanker_2.2.2.vir.exe cmd.exe PID 3724 wrote to memory of 2784 3724 pandabanker_2.2.2.vir.exe cmd.exe PID 3724 wrote to memory of 2784 3724 pandabanker_2.2.2.vir.exe cmd.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.2.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.2.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.2.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.2.2.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.2.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pandabanker_2.2.2.vir.exedescription pid process Token: SeSecurityPrivilege 3724 pandabanker_2.2.2.vir.exe Token: SeSecurityPrivilege 3724 pandabanker_2.2.2.vir.exe Token: SeSecurityPrivilege 3724 pandabanker_2.2.2.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
PublishExit.exepid process 1280 PublishExit.exe -
Looks for VMWare Tools registry key 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.2.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\datareporting\archived\2020-04\PublishExit.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\datareporting\archived\2020-04\PublishExit.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd61259483.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd61259483.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\datareporting\archived\2020-04\PublishExit.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\datareporting\archived\2020-04\PublishExit.exe
-
memory/1280-0-0x0000000000000000-mapping.dmp
-
memory/1844-3-0x0000000000000000-mapping.dmp
-
memory/2616-4-0x0000000000000000-mapping.dmp
-
memory/2784-5-0x0000000000000000-mapping.dmp