Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.5.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.2.5.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.2.5.vir.exe
-
Size
229KB
-
MD5
b6d68b57d6d3278a52c6235d8b35ffcb
-
SHA1
4885954a21da7830c78186d2c719d51bc3625508
-
SHA256
8b698af43c10c0509d15d39d688674f9885295a4679a4f6afffcf1714322c7a7
-
SHA512
591b35e94e0c91cbba357b1fc3b5b759d9aa59b87a6f119cd88a5026b13eea4035b3d0694e88e70ef36705eba3a9f5e7073d1ffe4c9eaf3f03670cd0351dbcab
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.5.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.5.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
pandabanker_2.2.5.vir.exepandabanker_2.2.5.vir.exePushRedo.exePushRedo.exedescription pid process target process PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1400 wrote to memory of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1796 wrote to memory of 1832 1796 pandabanker_2.2.5.vir.exe PushRedo.exe PID 1796 wrote to memory of 1832 1796 pandabanker_2.2.5.vir.exe PushRedo.exe PID 1796 wrote to memory of 1832 1796 pandabanker_2.2.5.vir.exe PushRedo.exe PID 1796 wrote to memory of 1832 1796 pandabanker_2.2.5.vir.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1832 wrote to memory of 580 1832 PushRedo.exe PushRedo.exe PID 1796 wrote to memory of 1096 1796 pandabanker_2.2.5.vir.exe cmd.exe PID 1796 wrote to memory of 1096 1796 pandabanker_2.2.5.vir.exe cmd.exe PID 1796 wrote to memory of 1096 1796 pandabanker_2.2.5.vir.exe cmd.exe PID 1796 wrote to memory of 1096 1796 pandabanker_2.2.5.vir.exe cmd.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1128 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe PID 580 wrote to memory of 1724 580 PushRedo.exe svchost.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.5.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.2.5.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.5.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\PushRedo.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\PushRedo.exe\"" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
PushRedo.exePushRedo.exepid process 1832 PushRedo.exe 580 PushRedo.exe -
Processes:
pandabanker_2.2.5.vir.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pandabanker_2.2.5.vir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 pandabanker_2.2.5.vir.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pandabanker_2.2.5.vir.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pandabanker_2.2.5.vir.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.2.5.vir.exePushRedo.exedescription pid process target process PID 1400 set thread context of 1796 1400 pandabanker_2.2.5.vir.exe pandabanker_2.2.5.vir.exe PID 1832 set thread context of 580 1832 PushRedo.exe PushRedo.exe -
Suspicious use of AdjustPrivilegeToken 71 IoCs
Processes:
pandabanker_2.2.5.vir.exePushRedo.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 1796 pandabanker_2.2.5.vir.exe Token: SeSecurityPrivilege 1796 pandabanker_2.2.5.vir.exe Token: SeSecurityPrivilege 1796 pandabanker_2.2.5.vir.exe Token: SeSecurityPrivilege 1796 pandabanker_2.2.5.vir.exe Token: SeSecurityPrivilege 1796 pandabanker_2.2.5.vir.exe Token: SeSecurityPrivilege 580 PushRedo.exe Token: SeSecurityPrivilege 580 PushRedo.exe Token: SeSecurityPrivilege 580 PushRedo.exe Token: SeSecurityPrivilege 580 PushRedo.exe Token: SeSecurityPrivilege 580 PushRedo.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1724 svchost.exe Token: SeSecurityPrivilege 1724 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe -
Suspicious behavior: EnumeratesProcesses 238 IoCs
Processes:
pandabanker_2.2.5.vir.exesvchost.exepid process 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe 1128 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.2.5.vir.exepid process 1796 pandabanker_2.2.5.vir.exe 1796 pandabanker_2.2.5.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.5.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.5.vir.exe"2⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd9068b2df.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd9068b2df.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\UninstallUse.owx
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\UninstallUse.owx
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\UninstallUse.owx
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\UninstallUse.tmp
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\PushRedo.exe
-
memory/580-7-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/580-8-0x000000000040C98E-mapping.dmp
-
memory/580-10-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1096-11-0x0000000000000000-mapping.dmp
-
memory/1128-12-0x0000000000000000-mapping.dmp
-
memory/1724-15-0x0000000000000000-mapping.dmp
-
memory/1796-1-0x000000000040C98E-mapping.dmp
-
memory/1832-4-0x0000000000000000-mapping.dmp