Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.4.1.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.4.1.vir.exe
Resource
win10
General
-
Target
pandabanker_2.4.1.vir.exe
-
Size
241KB
-
MD5
4c1fc16ab79ee26d77c6f55086d9c426
-
SHA1
8bcfaa5661fe60feba9d3f3cfbd93722559c089e
-
SHA256
0d28bf33f99d286092870f3504f54bc0cb81a0f733275d0b689d6bdb9aeb758a
-
SHA512
8cc407aa4fd67c199090e9f58c585f6571b2e55ff6ff1d009903a8b7272fca5ac8e3b1bfa614731818cb8c0918237e99c7ecb995918dbe3be06326d91dc0cf27
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
pandabanker_2.4.1.vir.exepandabanker_2.4.1.vir.exeSplitAssert.exeSplitAssert.exedescription pid process target process PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1072 wrote to memory of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 1084 wrote to memory of 612 1084 pandabanker_2.4.1.vir.exe SplitAssert.exe PID 1084 wrote to memory of 612 1084 pandabanker_2.4.1.vir.exe SplitAssert.exe PID 1084 wrote to memory of 612 1084 pandabanker_2.4.1.vir.exe SplitAssert.exe PID 1084 wrote to memory of 612 1084 pandabanker_2.4.1.vir.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 612 wrote to memory of 316 612 SplitAssert.exe SplitAssert.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 888 316 SplitAssert.exe svchost.exe PID 1084 wrote to memory of 1580 1084 pandabanker_2.4.1.vir.exe cmd.exe PID 1084 wrote to memory of 1580 1084 pandabanker_2.4.1.vir.exe cmd.exe PID 1084 wrote to memory of 1580 1084 pandabanker_2.4.1.vir.exe cmd.exe PID 1084 wrote to memory of 1580 1084 pandabanker_2.4.1.vir.exe cmd.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe PID 316 wrote to memory of 1668 316 SplitAssert.exe svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1580 cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.4.1.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.4.1.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SplitAssert.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SplitAssert.exe\"" svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.4.1.vir.exedescription pid process Token: SeSecurityPrivilege 1084 pandabanker_2.4.1.vir.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 298 IoCs
Processes:
pandabanker_2.4.1.vir.exesvchost.exepid process 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe 888 svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.4.1.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.4.1.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.4.1.vir.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.4.1.vir.exeSplitAssert.exedescription pid process target process PID 1072 set thread context of 1084 1072 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 612 set thread context of 316 612 SplitAssert.exe SplitAssert.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.4.1.vir.exepid process 1084 pandabanker_2.4.1.vir.exe 1084 pandabanker_2.4.1.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
SplitAssert.exeSplitAssert.exepid process 612 SplitAssert.exe 316 SplitAssert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd88a1f56d.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd88a1f56d.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SplitAssert.exe
-
memory/316-11-0x000000000040C95E-mapping.dmp
-
memory/612-8-0x000000000056F000-0x0000000000570000-memory.dmpFilesize
4KB
-
memory/612-6-0x0000000000000000-mapping.dmp
-
memory/888-14-0x0000000000000000-mapping.dmp
-
memory/1072-0-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1084-3-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1084-2-0x000000000040C95E-mapping.dmp
-
memory/1084-1-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1580-15-0x0000000000000000-mapping.dmp
-
memory/1668-16-0x0000000000000000-mapping.dmp