Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.9.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.9.vir.exe
Resource
win10
General
-
Target
pandabanker_2.6.9.vir.exe
-
Size
210KB
-
MD5
1ff6aa04bc4971019ecd9220847a8986
-
SHA1
9bf32b9710a1fc088d831c0d88c6c02579ffbffa
-
SHA256
3d95e6885d4a0a66dad5d37750fa84a4d4f1f9db2ccc741997d22d89af92cbfb
-
SHA512
161d92bc46abe4b94d2eb1c394e2ee1530d9af7936fbbae3580f4870b8ac08db522fcf300b502350ff4dcad976e9e32c296a7c9be71964e8dfa06164bbd0a358
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
pandabanker_2.6.9.vir.exe2918063365piupsah.exedescription ioc process File opened for modification C:\Windows\win.ini pandabanker_2.6.9.vir.exe File opened for modification C:\Windows\win.ini 2918063365piupsah.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.9.vir.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE pandabanker_2.6.9.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE pandabanker_2.6.9.vir.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
pandabanker_2.6.9.vir.exesvchost.exepid process 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
pandabanker_2.6.9.vir.exepid process 1612 pandabanker_2.6.9.vir.exe 1612 pandabanker_2.6.9.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
2918063365piupsah.exepid process 1116 2918063365piupsah.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1544 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.9.vir.exedescription pid process Token: SeSecurityPrivilege 1612 pandabanker_2.6.9.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pandabanker_2.6.9.vir.exe2918063365piupsah.exedescription pid process target process PID 1612 wrote to memory of 1116 1612 pandabanker_2.6.9.vir.exe 2918063365piupsah.exe PID 1612 wrote to memory of 1116 1612 pandabanker_2.6.9.vir.exe 2918063365piupsah.exe PID 1612 wrote to memory of 1116 1612 pandabanker_2.6.9.vir.exe 2918063365piupsah.exe PID 1612 wrote to memory of 1116 1612 pandabanker_2.6.9.vir.exe 2918063365piupsah.exe PID 1612 wrote to memory of 1544 1612 pandabanker_2.6.9.vir.exe cmd.exe PID 1612 wrote to memory of 1544 1612 pandabanker_2.6.9.vir.exe cmd.exe PID 1612 wrote to memory of 1544 1612 pandabanker_2.6.9.vir.exe cmd.exe PID 1612 wrote to memory of 1544 1612 pandabanker_2.6.9.vir.exe cmd.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1760 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe PID 1116 wrote to memory of 1656 1116 2918063365piupsah.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\2918063365piupsah.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\2918063365piupsah.exe\"" svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.9.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.9.vir.exe"1⤵
- Drops file in Windows directory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe"2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd9cc78f16.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd9cc78f16.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
C:\Windows\win.ini
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\2918063365piupsah.exe
-
memory/1116-4-0x0000000000000000-mapping.dmp
-
memory/1544-8-0x0000000000000000-mapping.dmp
-
memory/1656-11-0x0000000000000000-mapping.dmp
-
memory/1760-10-0x0000000000000000-mapping.dmp