Analysis
-
max time kernel
150s -
max time network
29s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.11.vir.exe
Resource
win7v200430
General
-
Target
pandabanker_2.2.11.vir.exe
-
Size
378KB
-
MD5
41d9df6b1a7e6fe50f8b3b94186ad9be
-
SHA1
da1dd6c5cfabd88c587235d2908b63cd53974577
-
SHA256
10b85536fedabb3c8ca3bed5822f368ed64a09bb06b4f595ac4dc18aeb565426
-
SHA512
dccb522e7d609c508b147fb2cf353c123766e3a04d9dfbf97f9d7f368bc58d5aa69ad38d7d0a86719c0a9210ad904f84f81920b5297589ecbdec74c8c359c3c1
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.11.vir.exedescription pid process Token: SeSecurityPrivilege 1048 pandabanker_2.2.11.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
pandabanker_2.2.11.vir.exepid process 1048 pandabanker_2.2.11.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
webappsstore.exepid process 1028 webappsstore.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1496 cmd.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
pandabanker_2.2.11.vir.exepid process 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe 1048 pandabanker_2.2.11.vir.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.11.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.11.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.11.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.2.11.vir.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE pandabanker_2.2.11.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.2.11.vir.exewebappsstore.exedescription pid process target process PID 1048 wrote to memory of 1028 1048 pandabanker_2.2.11.vir.exe webappsstore.exe PID 1048 wrote to memory of 1028 1048 pandabanker_2.2.11.vir.exe webappsstore.exe PID 1048 wrote to memory of 1028 1048 pandabanker_2.2.11.vir.exe webappsstore.exe PID 1048 wrote to memory of 1028 1048 pandabanker_2.2.11.vir.exe webappsstore.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1520 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1028 wrote to memory of 1092 1028 webappsstore.exe svchost.exe PID 1048 wrote to memory of 1496 1048 pandabanker_2.2.11.vir.exe cmd.exe PID 1048 wrote to memory of 1496 1048 pandabanker_2.2.11.vir.exe cmd.exe PID 1048 wrote to memory of 1496 1048 pandabanker_2.2.11.vir.exe cmd.exe PID 1048 wrote to memory of 1496 1048 pandabanker_2.2.11.vir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.11.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.11.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd642afd69.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd642afd69.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe
-
memory/1028-1-0x0000000000000000-mapping.dmp
-
memory/1028-8-0x0000000002740000-0x0000000002744000-memory.dmpFilesize
16KB
-
memory/1048-7-0x0000000002740000-0x0000000002744000-memory.dmpFilesize
16KB
-
memory/1092-5-0x0000000000000000-mapping.dmp
-
memory/1496-6-0x0000000000000000-mapping.dmp
-
memory/1520-4-0x0000000000000000-mapping.dmp