Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.11.vir.exe
Resource
win7v200430
General
-
Target
pandabanker_2.2.11.vir.exe
-
Size
378KB
-
MD5
41d9df6b1a7e6fe50f8b3b94186ad9be
-
SHA1
da1dd6c5cfabd88c587235d2908b63cd53974577
-
SHA256
10b85536fedabb3c8ca3bed5822f368ed64a09bb06b4f595ac4dc18aeb565426
-
SHA512
dccb522e7d609c508b147fb2cf353c123766e3a04d9dfbf97f9d7f368bc58d5aa69ad38d7d0a86719c0a9210ad904f84f81920b5297589ecbdec74c8c359c3c1
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.11.vir.exedescription pid process Token: SeSecurityPrivilege 1684 pandabanker_2.2.11.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.11.vir.exeinstalls.exedescription pid process target process PID 1684 wrote to memory of 2572 1684 pandabanker_2.2.11.vir.exe installs.exe PID 1684 wrote to memory of 2572 1684 pandabanker_2.2.11.vir.exe installs.exe PID 1684 wrote to memory of 2572 1684 pandabanker_2.2.11.vir.exe installs.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 4072 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 2572 wrote to memory of 3968 2572 installs.exe svchost.exe PID 1684 wrote to memory of 3816 1684 pandabanker_2.2.11.vir.exe cmd.exe PID 1684 wrote to memory of 3816 1684 pandabanker_2.2.11.vir.exe cmd.exe PID 1684 wrote to memory of 3816 1684 pandabanker_2.2.11.vir.exe cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
pandabanker_2.2.11.vir.exepid process 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe 1684 pandabanker_2.2.11.vir.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.11.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.11.vir.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.11.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.2.11.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.11.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
installs.exepid process 2572 installs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.11.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.11.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\installs.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\installs.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upda6fdb18c.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upda6fdb18c.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\installs.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\installs.exe
-
memory/2572-0-0x0000000000000000-mapping.dmp
-
memory/3816-5-0x0000000000000000-mapping.dmp
-
memory/3968-4-0x0000000000000000-mapping.dmp
-
memory/4072-3-0x0000000000000000-mapping.dmp