Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.4.1.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.4.1.vir.exe
Resource
win10
General
-
Target
pandabanker_2.4.1.vir.exe
-
Size
241KB
-
MD5
4c1fc16ab79ee26d77c6f55086d9c426
-
SHA1
8bcfaa5661fe60feba9d3f3cfbd93722559c089e
-
SHA256
0d28bf33f99d286092870f3504f54bc0cb81a0f733275d0b689d6bdb9aeb758a
-
SHA512
8cc407aa4fd67c199090e9f58c585f6571b2e55ff6ff1d009903a8b7272fca5ac8e3b1bfa614731818cb8c0918237e99c7ecb995918dbe3be06326d91dc0cf27
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.4.1.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.4.1.vir.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
pandabanker_2.4.1.vir.exepandabanker_2.4.1.vir.exeSelectImport.exeSelectImport.exedescription pid process target process PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3100 wrote to memory of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3852 wrote to memory of 3828 3852 pandabanker_2.4.1.vir.exe SelectImport.exe PID 3852 wrote to memory of 3828 3852 pandabanker_2.4.1.vir.exe SelectImport.exe PID 3852 wrote to memory of 3828 3852 pandabanker_2.4.1.vir.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3828 wrote to memory of 3928 3828 SelectImport.exe SelectImport.exe PID 3852 wrote to memory of 3600 3852 pandabanker_2.4.1.vir.exe cmd.exe PID 3852 wrote to memory of 3600 3852 pandabanker_2.4.1.vir.exe cmd.exe PID 3852 wrote to memory of 3600 3852 pandabanker_2.4.1.vir.exe cmd.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 3500 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe PID 3928 wrote to memory of 1904 3928 SelectImport.exe svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.4.1.vir.exeSelectImport.exedescription pid process target process PID 3100 set thread context of 3852 3100 pandabanker_2.4.1.vir.exe pandabanker_2.4.1.vir.exe PID 3828 set thread context of 3928 3828 SelectImport.exe SelectImport.exe -
Suspicious behavior: EnumeratesProcesses 242 IoCs
Processes:
pandabanker_2.4.1.vir.exesvchost.exepid process 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3852 pandabanker_2.4.1.vir.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe 3500 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.4.1.vir.exedescription pid process Token: SeSecurityPrivilege 3852 pandabanker_2.4.1.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
SelectImport.exeSelectImport.exepid process 3828 SelectImport.exe 3928 SelectImport.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.4.1.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.4.1.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.4.1.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VMWare Tools registry key 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SelectImport.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\SelectImport.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.4.1.vir.exe"2⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upda6c437e9.bat"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upda6c437e9.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\SelectImport.exe
-
memory/1904-14-0x0000000000000000-mapping.dmp
-
memory/3100-0-0x000000000067E000-0x000000000067F000-memory.dmpFilesize
4KB
-
memory/3500-13-0x0000000000000000-mapping.dmp
-
memory/3600-12-0x0000000000000000-mapping.dmp
-
memory/3828-4-0x0000000000000000-mapping.dmp
-
memory/3828-7-0x00000000004BE000-0x00000000004BF000-memory.dmpFilesize
4KB
-
memory/3852-3-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3852-1-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3852-2-0x000000000040C95E-mapping.dmp
-
memory/3928-9-0x000000000040C95E-mapping.dmp