Analysis
-
max time kernel
142s -
max time network
41s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.4.4.vir.exe
Resource
win7v200430
General
-
Target
pandabanker_2.4.4.vir.exe
-
Size
118KB
-
MD5
6918dea2c2c65729565dc198ee23e259
-
SHA1
2aa9a74b2221b1ff0d645773351ef3a4a082a5fd
-
SHA256
dc2d2f5e3a65bf4799b13a7e8e1f7729056af113e2d8932995dcde0e9c16e13f
-
SHA512
2bce547dd3bab1a20fe9535cc8d3711b6e8f73681fc4731a3b323d6ec8a7b23b8c85b30293ff6146a89e242b795124801548aabd092554b573db48cd46e61035
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2918063365piupsah.exepid process 1264 2918063365piupsah.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.4.4.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.4.4.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.4.4.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.4.4.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.4.4.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
pandabanker_2.4.4.vir.exepid process 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.4.4.vir.exedescription pid process Token: SeSecurityPrivilege 324 pandabanker_2.4.4.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.4.4.vir.exepid process 324 pandabanker_2.4.4.vir.exe 324 pandabanker_2.4.4.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.4.4.vir.exe2918063365piupsah.exedescription pid process target process PID 324 wrote to memory of 1264 324 pandabanker_2.4.4.vir.exe 2918063365piupsah.exe PID 324 wrote to memory of 1264 324 pandabanker_2.4.4.vir.exe 2918063365piupsah.exe PID 324 wrote to memory of 1264 324 pandabanker_2.4.4.vir.exe 2918063365piupsah.exe PID 324 wrote to memory of 1264 324 pandabanker_2.4.4.vir.exe 2918063365piupsah.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 1420 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 1264 wrote to memory of 676 1264 2918063365piupsah.exe svchost.exe PID 324 wrote to memory of 1072 324 pandabanker_2.4.4.vir.exe cmd.exe PID 324 wrote to memory of 1072 324 pandabanker_2.4.4.vir.exe cmd.exe PID 324 wrote to memory of 1072 324 pandabanker_2.4.4.vir.exe cmd.exe PID 324 wrote to memory of 1072 324 pandabanker_2.4.4.vir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.4.vir.exe"1⤵
- Identifies Wine through registry keys
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd3a2e7ffb.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd3a2e7ffb.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
memory/676-6-0x0000000000000000-mapping.dmp
-
memory/1072-7-0x0000000000000000-mapping.dmp
-
memory/1264-2-0x0000000000000000-mapping.dmp
-
memory/1420-5-0x0000000000000000-mapping.dmp