Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.5.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.5.5.vir.exe
Resource
win10
General
-
Target
pandabanker_2.5.5.vir.exe
-
Size
248KB
-
MD5
938fa3c6548d0aed1a89287965159d9d
-
SHA1
24733ff1f3bfa1f3a33b13feac300b77bcebe808
-
SHA256
c3be55a58b2afa08ba8520d981c50ab773113da36b139985ad16e5fab39ac145
-
SHA512
dc0abd08f51f9eedd1187a261590d8dfcfa38cd6724bfd42f9a03719f3fe0c8b4b42263518df915297404db6d30c49fe1c32a4133eedd29ba8417afb8787d271
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
3870112724rsegmnoittet-es.exepid process 1292 3870112724rsegmnoittet-es.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\3870112724rsegmnoittet-es.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\3870112724rsegmnoittet-es.exe\"" svchost.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
pandabanker_2.5.5.vir.exe3870112724rsegmnoittet-es.exesvchost.exesvchost.exedescription pid process Token: SeShutdownPrivilege 880 pandabanker_2.5.5.vir.exe Token: SeSecurityPrivilege 880 pandabanker_2.5.5.vir.exe Token: SeShutdownPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 1428 svchost.exe Token: SeSecurityPrivilege 1292 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe Token: SeSecurityPrivilege 428 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.5.5.vir.exepid process 880 pandabanker_2.5.5.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.5.5.vir.exe3870112724rsegmnoittet-es.exedescription pid process target process PID 880 wrote to memory of 1292 880 pandabanker_2.5.5.vir.exe 3870112724rsegmnoittet-es.exe PID 880 wrote to memory of 1292 880 pandabanker_2.5.5.vir.exe 3870112724rsegmnoittet-es.exe PID 880 wrote to memory of 1292 880 pandabanker_2.5.5.vir.exe 3870112724rsegmnoittet-es.exe PID 880 wrote to memory of 1292 880 pandabanker_2.5.5.vir.exe 3870112724rsegmnoittet-es.exe PID 880 wrote to memory of 1016 880 pandabanker_2.5.5.vir.exe cmd.exe PID 880 wrote to memory of 1016 880 pandabanker_2.5.5.vir.exe cmd.exe PID 880 wrote to memory of 1016 880 pandabanker_2.5.5.vir.exe cmd.exe PID 880 wrote to memory of 1016 880 pandabanker_2.5.5.vir.exe cmd.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe PID 1292 wrote to memory of 1428 1292 3870112724rsegmnoittet-es.exe svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 102 IoCs
Processes:
pandabanker_2.5.5.vir.exe3870112724rsegmnoittet-es.exesvchost.exepid process 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 880 pandabanker_2.5.5.vir.exe 1292 3870112724rsegmnoittet-es.exe 1292 3870112724rsegmnoittet-es.exe 1292 3870112724rsegmnoittet-es.exe 1292 3870112724rsegmnoittet-es.exe 1292 3870112724rsegmnoittet-es.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe 428 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1016 cmd.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.5.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.5.5.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.5.5.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.5.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3870112724rsegmnoittet-es.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3870112724rsegmnoittet-es.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updd15af81e.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updd15af81e.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3870112724rsegmnoittet-es.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3870112724rsegmnoittet-es.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\WatchConfirm.sae
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\WatchConfirm.sae
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\WatchConfirm.sae
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3870112724rsegmnoittet-es.exe
-
memory/428-16-0x0000000000000000-mapping.dmp
-
memory/880-0-0x0000000002240000-0x0000000002251000-memory.dmpFilesize
68KB
-
memory/880-1-0x0000000002240000-0x0000000002251000-memory.dmpFilesize
68KB
-
memory/1016-14-0x0000000000000000-mapping.dmp
-
memory/1292-3-0x0000000000000000-mapping.dmp
-
memory/1292-5-0x0000000002330000-0x0000000002341000-memory.dmpFilesize
68KB
-
memory/1292-8-0x0000000002330000-0x0000000002341000-memory.dmpFilesize
68KB
-
memory/1428-18-0x0000000000000000-mapping.dmp