Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.7.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.5.7.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.5.7.vir.exe
-
Size
172KB
-
MD5
49513443ccc5845927cd66204f5f4e11
-
SHA1
8575b9c2c4c531d4f16d0671fcb7df424241e188
-
SHA256
db09e6f69ea651370d796ee2fd4a78d9a11cd82faea3f8d5ef007c04065b1e25
-
SHA512
e389f720fdbcc98ce514b63172d2373450eecf07c697a9445c20eeb6704e30d0639dcf1a79b9122396de022d7f9f81ff9dbcae1af842dbddb271833c310ccf68
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
pandabanker_2.5.7.vir.exesvchost.exepid process 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe 1800 svchost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
pandabanker_2.5.7.vir.exe2823318777ntouromlalnodry--naod.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 1312 pandabanker_2.5.7.vir.exe Token: SeSecurityPrivilege 1412 2823318777ntouromlalnodry--naod.exe Token: SeSecurityPrivilege 1412 2823318777ntouromlalnodry--naod.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1564 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe Token: SeSecurityPrivilege 1800 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.5.7.vir.exepid process 1312 pandabanker_2.5.7.vir.exe 1312 pandabanker_2.5.7.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
2823318777ntouromlalnodry--naod.exepid process 1412 2823318777ntouromlalnodry--naod.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.7.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.5.7.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.5.7.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.5.7.vir.exe2823318777ntouromlalnodry--naod.exedescription pid process target process PID 1312 wrote to memory of 1412 1312 pandabanker_2.5.7.vir.exe 2823318777ntouromlalnodry--naod.exe PID 1312 wrote to memory of 1412 1312 pandabanker_2.5.7.vir.exe 2823318777ntouromlalnodry--naod.exe PID 1312 wrote to memory of 1412 1312 pandabanker_2.5.7.vir.exe 2823318777ntouromlalnodry--naod.exe PID 1312 wrote to memory of 1412 1312 pandabanker_2.5.7.vir.exe 2823318777ntouromlalnodry--naod.exe PID 1312 wrote to memory of 1064 1312 pandabanker_2.5.7.vir.exe cmd.exe PID 1312 wrote to memory of 1064 1312 pandabanker_2.5.7.vir.exe cmd.exe PID 1312 wrote to memory of 1064 1312 pandabanker_2.5.7.vir.exe cmd.exe PID 1312 wrote to memory of 1064 1312 pandabanker_2.5.7.vir.exe cmd.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1800 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe PID 1412 wrote to memory of 1564 1412 2823318777ntouromlalnodry--naod.exe svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1064 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\2823318777ntouromlalnodry--naod.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\2823318777ntouromlalnodry--naod.exe\"" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.7.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.7.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd784f0961.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd784f0961.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Desktop.ria
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Desktop.ria
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Desktop.ria
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2823318777ntouromlalnodry--naod.exe
-
memory/1064-5-0x0000000000000000-mapping.dmp
-
memory/1412-2-0x0000000000000000-mapping.dmp
-
memory/1564-9-0x0000000000000000-mapping.dmp
-
memory/1800-7-0x0000000000000000-mapping.dmp