Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
pandabanker_2.6.9.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
pandabanker_2.6.9.vir.exe
Resource
win10
General
-
Target
pandabanker_2.6.9.vir.exe
-
Size
210KB
-
MD5
1ff6aa04bc4971019ecd9220847a8986
-
SHA1
9bf32b9710a1fc088d831c0d88c6c02579ffbffa
-
SHA256
3d95e6885d4a0a66dad5d37750fa84a4d4f1f9db2ccc741997d22d89af92cbfb
-
SHA512
161d92bc46abe4b94d2eb1c394e2ee1530d9af7936fbbae3580f4870b8ac08db522fcf300b502350ff4dcad976e9e32c296a7c9be71964e8dfa06164bbd0a358
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
pandabanker_2.6.9.vir.exe2823318777ntouromlalnodry--naod.exedescription pid process target process PID 2920 wrote to memory of 3824 2920 pandabanker_2.6.9.vir.exe 2823318777ntouromlalnodry--naod.exe PID 2920 wrote to memory of 3824 2920 pandabanker_2.6.9.vir.exe 2823318777ntouromlalnodry--naod.exe PID 2920 wrote to memory of 3824 2920 pandabanker_2.6.9.vir.exe 2823318777ntouromlalnodry--naod.exe PID 2920 wrote to memory of 1960 2920 pandabanker_2.6.9.vir.exe cmd.exe PID 2920 wrote to memory of 1960 2920 pandabanker_2.6.9.vir.exe cmd.exe PID 2920 wrote to memory of 1960 2920 pandabanker_2.6.9.vir.exe cmd.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3840 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe PID 3824 wrote to memory of 3764 3824 2823318777ntouromlalnodry--naod.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
2823318777ntouromlalnodry--naod.exepid process 3824 2823318777ntouromlalnodry--naod.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\2823318777ntouromlalnodry--naod.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\2823318777ntouromlalnodry--naod.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
pandabanker_2.6.9.vir.exe2823318777ntouromlalnodry--naod.exedescription ioc process File opened for modification C:\Windows\win.ini pandabanker_2.6.9.vir.exe File opened for modification C:\Windows\win.ini 2823318777ntouromlalnodry--naod.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
pandabanker_2.6.9.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE pandabanker_2.6.9.vir.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE pandabanker_2.6.9.vir.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
pandabanker_2.6.9.vir.exesvchost.exepid process 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 2920 pandabanker_2.6.9.vir.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe 3840 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pandabanker_2.6.9.vir.exedescription pid process Token: SeSecurityPrivilege 2920 pandabanker_2.6.9.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.9.vir.exe"C:\Users\Admin\AppData\Local\Temp\pandabanker_2.6.9.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\2823318777ntouromlalnodry--naod.exe"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\2823318777ntouromlalnodry--naod.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updb08f7de5.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updb08f7de5.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\2823318777ntouromlalnodry--naod.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\2823318777ntouromlalnodry--naod.exe
-
C:\Windows\win.ini
-
memory/1960-674-0x0000000000000000-mapping.dmp
-
memory/3764-677-0x0000000000000000-mapping.dmp
-
memory/3824-670-0x0000000000000000-mapping.dmp
-
memory/3840-676-0x0000000000000000-mapping.dmp