Analysis
-
max time kernel
149s -
max time network
73s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:43
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.10.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.10.vir.exe
Resource
win10v200430
General
-
Target
pandabanker_2.6.10.vir.exe
-
Size
200KB
-
MD5
e9d7b64791e55e421c0ac838e63f6c2a
-
SHA1
8ea9f1eb72e5c9140edbf789ec3c1823c3667983
-
SHA256
57ad651687d7bad1d5be010376dcd1c62a467ddfae3e96bc6429e7d53cb23e0d
-
SHA512
c6d3814e5c9ea272ae765b4b3271ae138b7a877567fe5ce28de5c164dfaf309eb33be089c66f6ce38d1e1c9ba1bd0b5aac3d7baca5a66d6264e9fe1f365567cb
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows PowerShell ISE (x86).exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\Windows PowerShell ISE (x86).exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe -
Suspicious behavior: EnumeratesProcesses 104 IoCs
Processes:
pandabanker_2.6.10.vir.exesvchost.exepid process 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 4060 pandabanker_2.6.10.vir.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.10.vir.exedescription pid process Token: SeSecurityPrivilege 4060 pandabanker_2.6.10.vir.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.6.10.vir.exeWindows PowerShell ISE (x86).exedescription pid process target process PID 4060 wrote to memory of 1168 4060 pandabanker_2.6.10.vir.exe Windows PowerShell ISE (x86).exe PID 4060 wrote to memory of 1168 4060 pandabanker_2.6.10.vir.exe Windows PowerShell ISE (x86).exe PID 4060 wrote to memory of 1168 4060 pandabanker_2.6.10.vir.exe Windows PowerShell ISE (x86).exe PID 4060 wrote to memory of 1288 4060 pandabanker_2.6.10.vir.exe cmd.exe PID 4060 wrote to memory of 1288 4060 pandabanker_2.6.10.vir.exe cmd.exe PID 4060 wrote to memory of 1288 4060 pandabanker_2.6.10.vir.exe cmd.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 2824 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe PID 1168 wrote to memory of 3808 1168 Windows PowerShell ISE (x86).exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows PowerShell ISE (x86).exepid process 1168 Windows PowerShell ISE (x86).exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.10.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE pandabanker_2.6.10.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.6.10.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.10.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Windows PowerShell ISE (x86).exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Windows PowerShell ISE (x86).exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd9fe084bf.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd9fe084bf.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Windows PowerShell ISE (x86).exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Windows PowerShell ISE (x86).exe
-
memory/1168-1-0x0000000000000000-mapping.dmp
-
memory/1168-4-0x000000000049B000-0x000000000049C000-memory.dmpFilesize
4KB
-
memory/1288-5-0x0000000000000000-mapping.dmp
-
memory/2824-7-0x0000000000000000-mapping.dmp
-
memory/3808-8-0x0000000000000000-mapping.dmp
-
memory/4060-0-0x000000000068C000-0x000000000068D000-memory.dmpFilesize
4KB