Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.3.1.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
pandabanker_2.3.1.vir.exe
Resource
win10
General
-
Target
pandabanker_2.3.1.vir.exe
-
Size
203KB
-
MD5
7e986d3db3f08640ce7515c67514b491
-
SHA1
18accea914ac794731532d236cd4f6e75a9f4d49
-
SHA256
7eb56d98f341b98164b70f34d5f4008a07f3fe9d02943ddc7edeacb05f6dd5ef
-
SHA512
1f89a4a323b9018220ee843c9568f9a218d4395b341b28cd93a7d3f828ab2d7873c17831a997810a14223769e07cb861d7a9a691f4fe2ac14ce87bba517b2fa3
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.3.1.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.3.1.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.3.1.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.3.1.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.3.1.vir.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
pandabanker_2.3.1.vir.exepandabanker_2.3.1.vir.exesessionCheckpoints.exesessionCheckpoints.exedescription pid process target process PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 2788 wrote to memory of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 1816 wrote to memory of 3820 1816 pandabanker_2.3.1.vir.exe sessionCheckpoints.exe PID 1816 wrote to memory of 3820 1816 pandabanker_2.3.1.vir.exe sessionCheckpoints.exe PID 1816 wrote to memory of 3820 1816 pandabanker_2.3.1.vir.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3912 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3912 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3912 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3928 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3928 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3928 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 3820 wrote to memory of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe PID 1816 wrote to memory of 3448 1816 pandabanker_2.3.1.vir.exe cmd.exe PID 1816 wrote to memory of 3448 1816 pandabanker_2.3.1.vir.exe cmd.exe PID 1816 wrote to memory of 3448 1816 pandabanker_2.3.1.vir.exe cmd.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 3456 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe PID 3868 wrote to memory of 2520 3868 sessionCheckpoints.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 264 IoCs
Processes:
pandabanker_2.3.1.vir.exesvchost.exepid process 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 1816 pandabanker_2.3.1.vir.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe 3456 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.3.1.vir.exedescription pid process Token: SeSecurityPrivilege 1816 pandabanker_2.3.1.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\sessionCheckpoints.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\sessionCheckpoints.exe" svchost.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
pandabanker_2.3.1.vir.exesessionCheckpoints.exedescription pid process target process PID 2788 set thread context of 1816 2788 pandabanker_2.3.1.vir.exe pandabanker_2.3.1.vir.exe PID 3820 set thread context of 3868 3820 sessionCheckpoints.exe sessionCheckpoints.exe -
Executes dropped EXE 4 IoCs
Processes:
sessionCheckpoints.exesessionCheckpoints.exesessionCheckpoints.exesessionCheckpoints.exepid process 3820 sessionCheckpoints.exe 3912 sessionCheckpoints.exe 3928 sessionCheckpoints.exe 3868 sessionCheckpoints.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.3.1.vir.exe"2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd973a4f8e.bat"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd973a4f8e.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\sessionCheckpoints.exe
-
memory/1816-0-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1816-2-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1816-1-0x000000000040C7C9-mapping.dmp
-
memory/2520-14-0x0000000000000000-mapping.dmp
-
memory/3448-12-0x0000000000000000-mapping.dmp
-
memory/3456-13-0x0000000000000000-mapping.dmp
-
memory/3820-3-0x0000000000000000-mapping.dmp
-
memory/3868-9-0x000000000040C7C9-mapping.dmp