Analysis
-
max time kernel
129s -
max time network
44s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.2.12.vir.exe
Resource
win7
General
-
Target
pandabanker_2.2.12.vir.exe
-
Size
323KB
-
MD5
14986293dae2f70ce025cad0f8ef6667
-
SHA1
785c48b0ad930dbad78d3f976427958ec68a34cb
-
SHA256
2e6634f1f1abdd8cc2d651d060631598caf6374fee5bc3cd8b246e3090e4c4fa
-
SHA512
987b094f403360413e70f6f12893d081f6df3c47e9eb9d58c2112ba69c8c2062f8956cec870e0615e15f1e17ef6d58561a44eef4dd8cafdde5823662fb585bfc
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.2.12.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.2.12.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.2.12.vir.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
pandabanker_2.2.12.vir.exeplaces.exepid process 1508 pandabanker_2.2.12.vir.exe 1744 places.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.2.12.vir.exedescription pid process Token: SeSecurityPrivilege 1508 pandabanker_2.2.12.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.2.12.vir.exeplaces.exedescription pid process target process PID 1508 wrote to memory of 1744 1508 pandabanker_2.2.12.vir.exe places.exe PID 1508 wrote to memory of 1744 1508 pandabanker_2.2.12.vir.exe places.exe PID 1508 wrote to memory of 1744 1508 pandabanker_2.2.12.vir.exe places.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2028 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1744 wrote to memory of 2208 1744 places.exe svchost.exe PID 1508 wrote to memory of 3524 1508 pandabanker_2.2.12.vir.exe cmd.exe PID 1508 wrote to memory of 3524 1508 pandabanker_2.2.12.vir.exe cmd.exe PID 1508 wrote to memory of 3524 1508 pandabanker_2.2.12.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
places.exepid process 1744 places.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pandabanker_2.2.12.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pandabanker_2.2.12.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
pandabanker_2.2.12.vir.exeplaces.exepid process 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1508 pandabanker_2.2.12.vir.exe 1744 places.exe 1744 places.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.12.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.2.12.vir.exe"1⤵
- Identifies Wine through registry keys
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\places.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\places.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updc4f7668f.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updc4f7668f.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\places.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\places.exe
-
memory/1744-0-0x0000000000000000-mapping.dmp
-
memory/2028-3-0x0000000000000000-mapping.dmp
-
memory/2208-4-0x0000000000000000-mapping.dmp
-
memory/3524-5-0x0000000000000000-mapping.dmp