Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.5.7.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.5.7.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.5.7.vir.exe
-
Size
172KB
-
MD5
49513443ccc5845927cd66204f5f4e11
-
SHA1
8575b9c2c4c531d4f16d0671fcb7df424241e188
-
SHA256
db09e6f69ea651370d796ee2fd4a78d9a11cd82faea3f8d5ef007c04065b1e25
-
SHA512
e389f720fdbcc98ce514b63172d2373450eecf07c697a9445c20eeb6704e30d0639dcf1a79b9122396de022d7f9f81ff9dbcae1af842dbddb271833c310ccf68
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PushRevoke.exepid process 2900 PushRevoke.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.5.7.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.5.7.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.5.7.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\PushRevoke.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\PushRevoke.exe" svchost.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
pandabanker_2.5.7.vir.exesvchost.exepid process 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 1820 pandabanker_2.5.7.vir.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
pandabanker_2.5.7.vir.exePushRevoke.exesvchost.exesvchost.exedescription pid process Token: SeSecurityPrivilege 1820 pandabanker_2.5.7.vir.exe Token: SeSecurityPrivilege 2900 PushRevoke.exe Token: SeSecurityPrivilege 2900 PushRevoke.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 1560 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe Token: SeSecurityPrivilege 3752 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.5.7.vir.exePushRevoke.exedescription pid process target process PID 1820 wrote to memory of 2900 1820 pandabanker_2.5.7.vir.exe PushRevoke.exe PID 1820 wrote to memory of 2900 1820 pandabanker_2.5.7.vir.exe PushRevoke.exe PID 1820 wrote to memory of 2900 1820 pandabanker_2.5.7.vir.exe PushRevoke.exe PID 1820 wrote to memory of 2528 1820 pandabanker_2.5.7.vir.exe cmd.exe PID 1820 wrote to memory of 2528 1820 pandabanker_2.5.7.vir.exe cmd.exe PID 1820 wrote to memory of 2528 1820 pandabanker_2.5.7.vir.exe cmd.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 3752 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe PID 2900 wrote to memory of 1560 2900 PushRevoke.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.7.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.5.7.vir.exe"1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\PushRevoke.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\PushRevoke.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd6c856ea1.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd6c856ea1.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\PushRevoke.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\PushRevoke.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TestUnprotect.hut
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TestUnprotect.hut
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\TestUnprotect.hut
-
memory/1560-7-0x0000000000000000-mapping.dmp
-
memory/2528-3-0x0000000000000000-mapping.dmp
-
memory/2900-0-0x0000000000000000-mapping.dmp
-
memory/3752-5-0x0000000000000000-mapping.dmp