Analysis
-
max time kernel
152s -
max time network
43s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.3.1.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.3.1.vir.exe
Resource
win10
General
-
Target
pandabanker_2.3.1.vir.exe
-
Size
203KB
-
MD5
7e986d3db3f08640ce7515c67514b491
-
SHA1
18accea914ac794731532d236cd4f6e75a9f4d49
-
SHA256
7eb56d98f341b98164b70f34d5f4008a07f3fe9d02943ddc7edeacb05f6dd5ef
-
SHA512
1f89a4a323b9018220ee843c9568f9a218d4395b341b28cd93a7d3f828ab2d7873c17831a997810a14223769e07cb861d7a9a691f4fe2ac14ce87bba517b2fa3
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1892 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SuspendSave.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SuspendSave.exe\"" svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 254 IoCs
Processes:
pandabanker_2.3.1.vir.exesvchost.exepid process 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.3.1.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.3.1.vir.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
pandabanker_2.3.1.vir.exepandabanker_2.3.1.vir.exeSuspendSave.exeSuspendSave.exedescription pid process target process PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1032 wrote to memory of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1056 wrote to memory of 1512 1056 pandabanker_2.3.1.vir.exe SuspendSave.exe PID 1056 wrote to memory of 1512 1056 pandabanker_2.3.1.vir.exe SuspendSave.exe PID 1056 wrote to memory of 1512 1056 pandabanker_2.3.1.vir.exe SuspendSave.exe PID 1056 wrote to memory of 1512 1056 pandabanker_2.3.1.vir.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1512 wrote to memory of 1868 1512 SuspendSave.exe SuspendSave.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1056 wrote to memory of 1892 1056 pandabanker_2.3.1.vir.exe cmd.exe PID 1056 wrote to memory of 1892 1056 pandabanker_2.3.1.vir.exe cmd.exe PID 1056 wrote to memory of 1892 1056 pandabanker_2.3.1.vir.exe cmd.exe PID 1056 wrote to memory of 1892 1056 pandabanker_2.3.1.vir.exe cmd.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 1884 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe PID 1868 wrote to memory of 640 1868 SuspendSave.exe svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.3.1.vir.exeSuspendSave.exedescription pid process target process PID 1032 set thread context of 1056 1032 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1512 set thread context of 1868 1512 SuspendSave.exe SuspendSave.exe -
Executes dropped EXE 2 IoCs
Processes:
SuspendSave.exeSuspendSave.exepid process 1512 SuspendSave.exe 1868 SuspendSave.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.3.1.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.3.1.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.3.1.vir.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.3.1.vir.exedescription pid process Token: SeSecurityPrivilege 1056 pandabanker_2.3.1.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.3.1.vir.exepid process 1056 pandabanker_2.3.1.vir.exe 1056 pandabanker_2.3.1.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd8a5bed31.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd8a5bed31.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SuspendSave.exe
-
memory/640-15-0x0000000000000000-mapping.dmp
-
memory/1056-0-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1056-2-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1056-1-0x000000000040C7C9-mapping.dmp
-
memory/1512-5-0x0000000000000000-mapping.dmp
-
memory/1868-9-0x000000000040C7C9-mapping.dmp
-
memory/1884-13-0x0000000000000000-mapping.dmp
-
memory/1892-12-0x0000000000000000-mapping.dmp