Analysis
-
max time kernel
133s -
max time network
109s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.4.4.vir.exe
Resource
win7v200430
General
-
Target
pandabanker_2.4.4.vir.exe
-
Size
118KB
-
MD5
6918dea2c2c65729565dc198ee23e259
-
SHA1
2aa9a74b2221b1ff0d645773351ef3a4a082a5fd
-
SHA256
dc2d2f5e3a65bf4799b13a7e8e1f7729056af113e2d8932995dcde0e9c16e13f
-
SHA512
2bce547dd3bab1a20fe9535cc8d3711b6e8f73681fc4731a3b323d6ec8a7b23b8c85b30293ff6146a89e242b795124801548aabd092554b573db48cd46e61035
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.4.4.vir.exedescription pid process Token: SeSecurityPrivilege 896 pandabanker_2.4.4.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.4.4.vir.exeTraceWatch.exedescription pid process target process PID 896 wrote to memory of 1456 896 pandabanker_2.4.4.vir.exe TraceWatch.exe PID 896 wrote to memory of 1456 896 pandabanker_2.4.4.vir.exe TraceWatch.exe PID 896 wrote to memory of 1456 896 pandabanker_2.4.4.vir.exe TraceWatch.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1596 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 1456 wrote to memory of 1820 1456 TraceWatch.exe svchost.exe PID 896 wrote to memory of 1068 896 pandabanker_2.4.4.vir.exe cmd.exe PID 896 wrote to memory of 1068 896 pandabanker_2.4.4.vir.exe cmd.exe PID 896 wrote to memory of 1068 896 pandabanker_2.4.4.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
TraceWatch.exepid process 1456 TraceWatch.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.4.4.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.4.4.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.4.4.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.4.4.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.4.4.vir.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.4.4.vir.exepid process 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe 896 pandabanker_2.4.4.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.4.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TraceWatch.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TraceWatch.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd620bc5c7.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd620bc5c7.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TraceWatch.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TraceWatch.exe
-
memory/1068-5-0x0000000000000000-mapping.dmp
-
memory/1456-0-0x0000000000000000-mapping.dmp
-
memory/1596-3-0x0000000000000000-mapping.dmp
-
memory/1820-4-0x0000000000000000-mapping.dmp