Analysis
-
max time kernel
20s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
Resource
win10v2004-en-20220113
General
-
Target
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe
-
Size
657KB
-
MD5
8ed6d907728a4b6647b1283abbfc2233
-
SHA1
34965adb74613e90a0b0777098fd39c97ff6f877
-
SHA256
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170
-
SHA512
6da65cb2956f23efb19b4082fa768b9affc4a4e3f1c36532b471e47d5bf392f7976bac9c04b22bec7992d614785a347e0e9592e104fdb0503491fb61afaf3e1a
Malware Config
Signatures
-
Panda Stealer Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe family_pandastealer C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe family_pandastealer behavioral2/memory/4528-132-0x00000000003C0000-0x0000000000476000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Executes dropped EXE 1 IoCs
Processes:
dqwqdqwdqwqwd.exepid process 4528 dqwqdqwdqwqwd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exedescription pid process target process PID 4892 wrote to memory of 4528 4892 ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe dqwqdqwdqwqwd.exe PID 4892 wrote to memory of 4528 4892 ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe dqwqdqwdqwqwd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe"C:\Users\Admin\AppData\Local\Temp\ee7c97b8f6d16ec0ba83e60e99f625be58bbcf24c0ddeba40461324661732170.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe"C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exeMD5
c865d7567594e030429089455c19f59e
SHA1853a06eaaae563e52f1d42187c3e35129f012133
SHA2561dd5c18547d170a26e06a5a518818870d241fc3a784185915ffe99f50daa829a
SHA512e6992f9ed36b99f59dd5ff3c67ebfc7ecad48610fbf238d7c2d60b484d2a0681a66e1eb9eb2d64c0cdaa65b757bff203b6c9236df3af64078eadba7c3ad978ce
-
C:\Users\Admin\AppData\Local\Temp\dqwqdqwdqwqwd.exeMD5
c865d7567594e030429089455c19f59e
SHA1853a06eaaae563e52f1d42187c3e35129f012133
SHA2561dd5c18547d170a26e06a5a518818870d241fc3a784185915ffe99f50daa829a
SHA512e6992f9ed36b99f59dd5ff3c67ebfc7ecad48610fbf238d7c2d60b484d2a0681a66e1eb9eb2d64c0cdaa65b757bff203b6c9236df3af64078eadba7c3ad978ce
-
memory/4528-132-0x00000000003C0000-0x0000000000476000-memory.dmpFilesize
728KB