Analysis
-
max time kernel
151s -
max time network
55s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:43
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.10.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.10.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.6.10.vir.exe
-
Size
200KB
-
MD5
e9d7b64791e55e421c0ac838e63f6c2a
-
SHA1
8ea9f1eb72e5c9140edbf789ec3c1823c3667983
-
SHA256
57ad651687d7bad1d5be010376dcd1c62a467ddfae3e96bc6429e7d53cb23e0d
-
SHA512
c6d3814e5c9ea272ae765b4b3271ae138b7a877567fe5ce28de5c164dfaf309eb33be089c66f6ce38d1e1c9ba1bd0b5aac3d7baca5a66d6264e9fe1f365567cb
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.10.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.6.10.vir.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.6.10.vir.exe -
Suspicious behavior: EnumeratesProcesses 98 IoCs
Processes:
pandabanker_2.6.10.vir.exesvchost.exepid process 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1504 cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.6.10.vir.exe3647222921wleabcEoxlt-eengsairo.exedescription pid process target process PID 1132 wrote to memory of 1260 1132 pandabanker_2.6.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 1132 wrote to memory of 1260 1132 pandabanker_2.6.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 1132 wrote to memory of 1260 1132 pandabanker_2.6.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 1132 wrote to memory of 1260 1132 pandabanker_2.6.10.vir.exe 3647222921wleabcEoxlt-eengsairo.exe PID 1132 wrote to memory of 1504 1132 pandabanker_2.6.10.vir.exe cmd.exe PID 1132 wrote to memory of 1504 1132 pandabanker_2.6.10.vir.exe cmd.exe PID 1132 wrote to memory of 1504 1132 pandabanker_2.6.10.vir.exe cmd.exe PID 1132 wrote to memory of 1504 1132 pandabanker_2.6.10.vir.exe cmd.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1328 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe PID 1260 wrote to memory of 1884 1260 3647222921wleabcEoxlt-eengsairo.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
3647222921wleabcEoxlt-eengsairo.exepid process 1260 3647222921wleabcEoxlt-eengsairo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\3647222921wleabcEoxlt-eengsairo.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\3647222921wleabcEoxlt-eengsairo.exe\"" svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.10.vir.exedescription pid process Token: SeSecurityPrivilege 1132 pandabanker_2.6.10.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.6.10.vir.exepid process 1132 pandabanker_2.6.10.vir.exe 1132 pandabanker_2.6.10.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.10.vir.exe"1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updfd25d814.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updfd25d814.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\3647222921wleabcEoxlt-eengsairo.exe
-
memory/1132-0-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/1260-3-0x0000000000000000-mapping.dmp
-
memory/1260-5-0x00000000002B1000-0x00000000002B2000-memory.dmpFilesize
4KB
-
memory/1328-9-0x0000000000000000-mapping.dmp
-
memory/1504-7-0x0000000000000000-mapping.dmp
-
memory/1884-10-0x0000000000000000-mapping.dmp