Analysis
-
max time kernel
150s -
max time network
64s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.6.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.2.6.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.2.6.vir.exe
-
Size
294KB
-
MD5
1a691f702e35fb79d95eb4f18a8b3cfb
-
SHA1
3bd22c45350794e482a021e0d031769fbbbcc53c
-
SHA256
1e1684d4513c0c3ad9d15fb28b65edbb505977729bc60c61dd7f69c484bc08a2
-
SHA512
b38278b12e59ba5fa2ae44e0dabc542748bb7c3ee03d0dc00c191076d4a84c7e4793b341608a8bae3c310990d9f5f8969fefb470ca0d0d108da9cd51779e0da2
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
pandabanker_2.2.6.vir.exepandabanker_2.2.6.vir.exesessionstore.exepid process 1124 pandabanker_2.2.6.vir.exe 1124 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1428 sessionstore.exe 1428 sessionstore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\sessionstore.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sessionstore.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pandabanker_2.2.6.vir.exedescription pid process Token: SeSecurityPrivilege 1312 pandabanker_2.2.6.vir.exe Token: SeSecurityPrivilege 1312 pandabanker_2.2.6.vir.exe Token: SeSecurityPrivilege 1312 pandabanker_2.2.6.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.6.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.6.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.6.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.2.6.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.6.vir.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.2.6.vir.exesessionstore.exedescription pid process target process PID 1124 set thread context of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1428 set thread context of 1588 1428 sessionstore.exe sessionstore.exe -
Suspicious behavior: EnumeratesProcesses 246 IoCs
Processes:
pandabanker_2.2.6.vir.exesvchost.exepid process 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1312 pandabanker_2.2.6.vir.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe 1516 svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
sessionstore.exesessionstore.exepid process 1428 sessionstore.exe 1588 sessionstore.exe -
NSIS installer 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe nsis_installer C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe nsis_installer C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe nsis_installer C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe nsis_installer -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
pandabanker_2.2.6.vir.exepandabanker_2.2.6.vir.exesessionstore.exesessionstore.exedescription pid process target process PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1124 wrote to memory of 1312 1124 pandabanker_2.2.6.vir.exe pandabanker_2.2.6.vir.exe PID 1312 wrote to memory of 1428 1312 pandabanker_2.2.6.vir.exe sessionstore.exe PID 1312 wrote to memory of 1428 1312 pandabanker_2.2.6.vir.exe sessionstore.exe PID 1312 wrote to memory of 1428 1312 pandabanker_2.2.6.vir.exe sessionstore.exe PID 1312 wrote to memory of 1428 1312 pandabanker_2.2.6.vir.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1428 wrote to memory of 1588 1428 sessionstore.exe sessionstore.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1516 1588 sessionstore.exe svchost.exe PID 1312 wrote to memory of 1036 1312 pandabanker_2.2.6.vir.exe cmd.exe PID 1312 wrote to memory of 1036 1312 pandabanker_2.2.6.vir.exe cmd.exe PID 1312 wrote to memory of 1036 1312 pandabanker_2.2.6.vir.exe cmd.exe PID 1312 wrote to memory of 1036 1312 pandabanker_2.2.6.vir.exe cmd.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe PID 1588 wrote to memory of 1816 1588 sessionstore.exe svchost.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f5180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updc89f72e2.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updc89f72e2.bat
-
C:\Users\Admin\AppData\Roaming\AUTHORS
-
C:\Users\Admin\AppData\Roaming\Bogey.a
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
-
C:\Users\Admin\AppData\Roaming\NsRandom.dll
-
C:\Users\Admin\AppData\Roaming\SplitOdor.XSr
-
C:\Users\Admin\AppData\Roaming\filezilla.mo
-
C:\Users\Admin\AppData\Roaming\reconnect.png
-
C:\Users\Admin\AppData\Roaming\toolbar.xml
-
\Users\Admin\AppData\Local\Temp\nsk44BD.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsvA2E.tmp\System.dll
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
-
\Users\Admin\AppData\Roaming\NsRandom.dll
-
\Users\Admin\AppData\Roaming\NsRandom.dll
-
memory/1036-23-0x0000000000000000-mapping.dmp
-
memory/1312-4-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1312-3-0x000000000040C65A-mapping.dmp
-
memory/1312-2-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1428-6-0x0000000000000000-mapping.dmp
-
memory/1516-22-0x0000000000000000-mapping.dmp
-
memory/1588-19-0x000000000040C65A-mapping.dmp
-
memory/1816-25-0x0000000000000000-mapping.dmp