1e1684d4513c0c3ad9d15fb28b65edbb505977729bc60c61dd7f69c484bc08a2

General

Target

pandabanker_2.2.6.vir.exe
Size

294KB
MD5

1a691f702e35fb79d95eb4f18a8b3cfb
SHA1

3bd22c45350794e482a021e0d031769fbbbcc53c
SHA256

1e1684d4513c0c3ad9d15fb28b65edbb505977729bc60c61dd7f69c484bc08a2
SHA512

b38278b12e59ba5fa2ae44e0dabc542748bb7c3ee03d0dc00c191076d4a84c7e4793b341608a8bae3c310990d9f5f8969fefb470ca0d0d108da9cd51779e0da2

Score

9^/10

evasion spyware persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

pandabanker_2.2.6.vir.exepandabanker_2.2.6.vir.exesessionstore.exe

pid process

1124 pandabanker_2.2.6.vir.exe
1124 pandabanker_2.2.6.vir.exe
1312 pandabanker_2.2.6.vir.exe
1428 sessionstore.exe
1428 sessionstore.exe

pid	process
1124	pandabanker_2.2.6.vir.exe
1124	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1428	sessionstore.exe
1428	sessionstore.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\sessionstore.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sessionstore.exe\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pandabanker_2.2.6.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1312	pandabanker_2.2.6.vir.exe
Token: SeSecurityPrivilege	1312	pandabanker_2.2.6.vir.exe
Token: SeSecurityPrivilege	1312	pandabanker_2.2.6.vir.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1036 cmd.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pandabanker_2.2.6.vir.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.6.vir.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
1036	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pandabanker_2.2.6.vir.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

pandabanker_2.2.6.vir.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	pandabanker_2.2.6.vir.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\WINE	pandabanker_2.2.6.vir.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

pandabanker_2.2.6.vir.exesessionstore.exe

description	pid	process	target process
PID 1124 set thread context of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1428 set thread context of 1588	1428	sessionstore.exe	sessionstore.exe

Suspicious behavior: EnumeratesProcesses 246 IoCs

Processes:

pandabanker_2.2.6.vir.exesvchost.exe

pid	process
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1312	pandabanker_2.2.6.vir.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

sessionstore.exesessionstore.exe

pid process

1428 sessionstore.exe
1588 sessionstore.exe

pid	process
1428	sessionstore.exe
1588	sessionstore.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe	nsis_installer

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

pandabanker_2.2.6.vir.exepandabanker_2.2.6.vir.exesessionstore.exesessionstore.exe

description	pid	process	target process
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1124 wrote to memory of 1312	1124	pandabanker_2.2.6.vir.exe	pandabanker_2.2.6.vir.exe
PID 1312 wrote to memory of 1428	1312	pandabanker_2.2.6.vir.exe	sessionstore.exe
PID 1312 wrote to memory of 1428	1312	pandabanker_2.2.6.vir.exe	sessionstore.exe
PID 1312 wrote to memory of 1428	1312	pandabanker_2.2.6.vir.exe	sessionstore.exe
PID 1312 wrote to memory of 1428	1312	pandabanker_2.2.6.vir.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1428 wrote to memory of 1588	1428	sessionstore.exe	sessionstore.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1516	1588	sessionstore.exe	svchost.exe
PID 1312 wrote to memory of 1036	1312	pandabanker_2.2.6.vir.exe	cmd.exe
PID 1312 wrote to memory of 1036	1312	pandabanker_2.2.6.vir.exe	cmd.exe
PID 1312 wrote to memory of 1036	1312	pandabanker_2.2.6.vir.exe	cmd.exe
PID 1312 wrote to memory of 1036	1312	pandabanker_2.2.6.vir.exe	cmd.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe
PID 1588 wrote to memory of 1816	1588	sessionstore.exe	svchost.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f5180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15	svchost.exe

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.6.vir.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe
"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
PID:1516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
5⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updc89f72e2.bat"
3⤵
- Deletes itself
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

4

T1497

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

5

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updc89f72e2.bat

Download Submit
C:\Users\Admin\AppData\Roaming\AUTHORS

Download Submit
C:\Users\Admin\AppData\Roaming\Bogey.a

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe

Download Submit
C:\Users\Admin\AppData\Roaming\NsRandom.dll

Download Submit
C:\Users\Admin\AppData\Roaming\SplitOdor.XSr

Download Submit
C:\Users\Admin\AppData\Roaming\filezilla.mo

Download Submit
C:\Users\Admin\AppData\Roaming\reconnect.png

Download Submit
C:\Users\Admin\AppData\Roaming\toolbar.xml

Download Submit
\Users\Admin\AppData\Local\Temp\nsk44BD.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsvA2E.tmp\System.dll

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sessionstore.exe

Download Submit
\Users\Admin\AppData\Roaming\NsRandom.dll

Download Submit
\Users\Admin\AppData\Roaming\NsRandom.dll

Download Submit
memory/1036-23-0x0000000000000000-mapping.dmp

Download
memory/1312-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1312-3-0x000000000040C65A-mapping.dmp

Download
memory/1312-2-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-6-0x0000000000000000-mapping.dmp

Download
memory/1516-22-0x0000000000000000-mapping.dmp

Download
memory/1588-19-0x000000000040C65A-mapping.dmp

Download
memory/1816-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads