pandastealer | d5efb272f04436e0a6d84b5b606acb92d48a6035d23d1790ac8ca22b05b547f3 | Triage

Analysis

max time kernel
73s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20220414-es
submitted
24-05-2022 04:43

Sharing

Report Analysis Logs

General

Target

build.exe

Score

10^/10

pandastealer spyware stealer suricata

Malware Config

Signatures

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
suricata: ET MALWARE Win32/CollectorStealer CnC Exfil M3
suricata: ET MALWARE Win32/CollectorStealer CnC Exfil M3
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

build.exetaskmgr.exe

pid	process
2420	build.exe
2420	build.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1860	taskmgr.exe
Token: SeSystemProfilePrivilege	1860	taskmgr.exe
Token: SeCreateGlobalPrivilege	1860	taskmgr.exe
Token: 33	1860	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1860	taskmgr.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

taskmgr.exe

pid	process
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

taskmgr.exe

pid	process
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe
1860	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...