Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.1.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pandabanker_2.1.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
pandabanker_2.1.1.vir.exe
-
Size
308KB
-
MD5
ed09632e3d549edb8f31eaac5562df7c
-
SHA1
d78f465ffb433d4f2c9382e22e028709567c7eba
-
SHA256
62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948
-
SHA512
5a4fd769e5eafd76704eff6138eb25637353bdd4e23c769f327f76e2e3dad6cbae06ce7090b88b1d6802e7dfd94639b4316334435fdc2b4efc8f13226e176e2b
Score
8/10
Malware Config
Signatures
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
pandabanker_2.1.1.vir.exeResumeConnect.exepid process 1080 pandabanker_2.1.1.vir.exe 1100 ResumeConnect.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pandabanker_2.1.1.vir.exedescription pid process Token: SeSecurityPrivilege 1080 pandabanker_2.1.1.vir.exe Token: SeSecurityPrivilege 1080 pandabanker_2.1.1.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.1.1.vir.exepid process 1080 pandabanker_2.1.1.vir.exe 1080 pandabanker_2.1.1.vir.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
pandabanker_2.1.1.vir.exeResumeConnect.exedescription pid process target process PID 1080 wrote to memory of 1100 1080 pandabanker_2.1.1.vir.exe ResumeConnect.exe PID 1080 wrote to memory of 1100 1080 pandabanker_2.1.1.vir.exe ResumeConnect.exe PID 1080 wrote to memory of 1100 1080 pandabanker_2.1.1.vir.exe ResumeConnect.exe PID 1080 wrote to memory of 1100 1080 pandabanker_2.1.1.vir.exe ResumeConnect.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1348 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1100 wrote to memory of 1472 1100 ResumeConnect.exe svchost.exe PID 1080 wrote to memory of 1568 1080 pandabanker_2.1.1.vir.exe cmd.exe PID 1080 wrote to memory of 1568 1080 pandabanker_2.1.1.vir.exe cmd.exe PID 1080 wrote to memory of 1568 1080 pandabanker_2.1.1.vir.exe cmd.exe PID 1080 wrote to memory of 1568 1080 pandabanker_2.1.1.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ResumeConnect.exepid process 1100 ResumeConnect.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1568 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.1.1.vir.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe"2⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd69a249ee.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd69a249ee.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\ResumeConnect.exe
-
memory/1100-2-0x0000000000000000-mapping.dmp
-
memory/1348-5-0x0000000000000000-mapping.dmp
-
memory/1472-6-0x0000000000000000-mapping.dmp
-
memory/1568-7-0x0000000000000000-mapping.dmp