Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.10.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.2.10.vir.exe
Resource
win10
General
-
Target
pandabanker_2.2.10.vir.exe
-
Size
222KB
-
MD5
9a9734e363a41dcacff3cba04c8d9512
-
SHA1
6a7a319ae1472ef36a73bf3088706ed6acceff76
-
SHA256
0d61cc62923f2df6a74fd877cc41c5a4df61355a3ded608bab7b9dde0fb98f41
-
SHA512
7490d2204b4a879e60d63ec7e633a0bca10a309898df67c13dac7f6da9e47f4d41adcb9865895ddd50803a735281f1b0c0bd8a7ca8f2a325f2e6d45655664f82
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
pandabanker_2.2.10.vir.exepandabanker_2.2.10.vir.exe3647222921wleabcEoxlt-eengsairo.exe3647222921wleabcEoxlt-eengsairo.exedescription pid process target process PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3920 wrote to memory of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 3008 wrote to memory of 2888 3008 pandabanker_2.2.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3008 wrote to memory of 2888 3008 pandabanker_2.2.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3008 wrote to memory of 2888 3008 pandabanker_2.2.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 2888 wrote to memory of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe PID 3008 wrote to memory of 2568 3008 pandabanker_2.2.10.vir.exe cmd.exe PID 3008 wrote to memory of 2568 3008 pandabanker_2.2.10.vir.exe cmd.exe PID 3008 wrote to memory of 2568 3008 pandabanker_2.2.10.vir.exe cmd.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 3360 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 3852 wrote to memory of 732 3852 3647222921wleabcEoxlt-eengsairo.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 314 IoCs
Processes:
pandabanker_2.2.10.vir.exesvchost.exepid process 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3008 pandabanker_2.2.10.vir.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe 3360 svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
3647222921wleabcEoxlt-eengsairo.exe3647222921wleabcEoxlt-eengsairo.exepid process 2888 3647222921wleabcEoxlt-eengsairo.exe 3852 3647222921wleabcEoxlt-eengsairo.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pandabanker_2.2.10.vir.exe3647222921wleabcEoxlt-eengsairo.exepid process 3920 pandabanker_2.2.10.vir.exe 2888 3647222921wleabcEoxlt-eengsairo.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.2.10.vir.exe3647222921wleabcEoxlt-eengsairo.exedescription pid process target process PID 3920 set thread context of 3008 3920 pandabanker_2.2.10.vir.exe pandabanker_2.2.10.vir.exe PID 2888 set thread context of 3852 2888 3647222921wleabcEoxlt-eengsairo.exe 3647222921wleabcEoxlt-eengsairo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.10.vir.exedescription pid process Token: SeSecurityPrivilege 3008 pandabanker_2.2.10.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.10.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.10.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.2.10.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\3647222921wleabcEoxlt-eengsairo.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\3647222921wleabcEoxlt-eengsairo.exe" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.10.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.10.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.10.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.10.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd99246bb5.bat"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd99246bb5.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\3647222921wleabcEoxlt-eengsairo.exe
-
memory/732-16-0x0000000000000000-mapping.dmp
-
memory/2568-14-0x0000000000000000-mapping.dmp
-
memory/2888-5-0x0000000000000000-mapping.dmp
-
memory/3008-2-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3008-3-0x000000000040C7AE-mapping.dmp
-
memory/3008-4-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3360-15-0x0000000000000000-mapping.dmp
-
memory/3852-11-0x000000000040C7AE-mapping.dmp