Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-03-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
Resource
win10v2004-en-20220112
General
-
Target
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe
-
Size
1.3MB
-
MD5
396f2b95ceaa2a0f978b514b7552b2b4
-
SHA1
b7bc8fc2437026235c0183cfe1f444a72cefc55a
-
SHA256
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab
-
SHA512
207b36b3282323ac0ccaaf3ebc077ee1d2f0bc7a36f3c0c1dea454af116f56682dfa8aabf04f52704a8f926f1264b7cc9ea9ee4c6555f5c44099db1aadf12562
Malware Config
Signatures
-
Panda Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/556-66-0x0000000000400000-0x00000000004AE000-memory.dmp family_pandastealer behavioral1/memory/556-68-0x0000000000400000-0x00000000004AE000-memory.dmp family_pandastealer behavioral1/memory/556-70-0x0000000000400000-0x00000000004AE000-memory.dmp family_pandastealer behavioral1/memory/556-72-0x0000000000400000-0x00000000004AE000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exedescription pid process target process PID 972 set thread context of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1272 556 WerFault.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exedescription pid process target process PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 972 wrote to memory of 556 972 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe PID 556 wrote to memory of 1272 556 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe WerFault.exe PID 556 wrote to memory of 1272 556 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe WerFault.exe PID 556 wrote to memory of 1272 556 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe WerFault.exe PID 556 wrote to memory of 1272 556 5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe"C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cbe850f672ab2ba13bef9015eca0712fa071c918b4a435b6486e41f42862aab.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1363⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-60-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-62-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-64-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-66-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-68-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-70-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/556-72-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/972-55-0x0000000001090000-0x00000000011DC000-memory.dmpFilesize
1.3MB
-
memory/972-56-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/972-57-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/972-58-0x0000000000220000-0x0000000000234000-memory.dmpFilesize
80KB
-
memory/972-59-0x0000000008560000-0x000000000865A000-memory.dmpFilesize
1000KB