Analysis
-
max time kernel
148s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.5.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.5.5.vir.exe
Resource
win10
General
-
Target
pandabanker_2.5.5.vir.exe
-
Size
248KB
-
MD5
938fa3c6548d0aed1a89287965159d9d
-
SHA1
24733ff1f3bfa1f3a33b13feac300b77bcebe808
-
SHA256
c3be55a58b2afa08ba8520d981c50ab773113da36b139985ad16e5fab39ac145
-
SHA512
dc0abd08f51f9eedd1187a261590d8dfcfa38cd6724bfd42f9a03719f3fe0c8b4b42263518df915297404db6d30c49fe1c32a4133eedd29ba8417afb8787d271
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.5.5.vir.exesearch.json.exedescription pid process target process PID 3680 wrote to memory of 3876 3680 pandabanker_2.5.5.vir.exe search.json.exe PID 3680 wrote to memory of 3876 3680 pandabanker_2.5.5.vir.exe search.json.exe PID 3680 wrote to memory of 3876 3680 pandabanker_2.5.5.vir.exe search.json.exe PID 3680 wrote to memory of 1880 3680 pandabanker_2.5.5.vir.exe cmd.exe PID 3680 wrote to memory of 1880 3680 pandabanker_2.5.5.vir.exe cmd.exe PID 3680 wrote to memory of 1880 3680 pandabanker_2.5.5.vir.exe cmd.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 1788 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe PID 3876 wrote to memory of 2200 3876 search.json.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
pandabanker_2.5.5.vir.exesearch.json.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 3680 pandabanker_2.5.5.vir.exe Token: SeSecurityPrivilege 3876 search.json.exe Token: SeSecurityPrivilege 3876 search.json.exe Token: SeSecurityPrivilege 3876 search.json.exe Token: SeSecurityPrivilege 3876 search.json.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 2200 svchost.exe Token: SeSecurityPrivilege 3876 search.json.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe Token: SeSecurityPrivilege 1788 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
search.json.exepid process 3876 search.json.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2976 3680 WerFault.exe pandabanker_2.5.5.vir.exe 1012 3876 WerFault.exe search.json.exe 3120 3876 WerFault.exe search.json.exe 3788 3876 WerFault.exe search.json.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
search.json.exepandabanker_2.5.5.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 search.json.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags search.json.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 pandabanker_2.5.5.vir.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags pandabanker_2.5.5.vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 pandabanker_2.5.5.vir.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags pandabanker_2.5.5.vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 search.json.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags search.json.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.5.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.5.5.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.5.5.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\search.json.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\search.json.exe" svchost.exe -
Suspicious behavior: EnumeratesProcesses 108 IoCs
Processes:
pandabanker_2.5.5.vir.exesearch.json.exesvchost.exepid process 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3680 pandabanker_2.5.5.vir.exe 3876 search.json.exe 3876 search.json.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe 1788 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.5.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks SCSI registry key(s)
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\search.json.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\search.json.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8523⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 2403⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd76b9a9a7.bat"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 2482⤵
- Program crash
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TapiSrv1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd76b9a9a7.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\search.json.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\search.json.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\user.mea
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\user.mea
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\user.mea
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\user.mea
-
memory/1788-7-0x0000000000000000-mapping.dmp
-
memory/1880-5-0x0000000000000000-mapping.dmp
-
memory/2200-9-0x0000000000000000-mapping.dmp
-
memory/3680-0-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/3876-3-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/3876-1-0x0000000000000000-mapping.dmp