Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 21:09

General

  • Target

    VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)/Passwords.txt.lnk

  • Size

    1KB

  • MD5

    01a52f0468558df808b8459bf0ab80a8

  • SHA1

    61d544fd99b9bd753abe9bda5db5b917f2cfe8ad

  • SHA256

    7f04ca01713ecbbc5c0610d63ca0b500e01641b75b1def3291c0975db5aabeea

  • SHA512

    0832dc0916aa567e4daf289985621e3246cc761f8e6ff435c590b417b8ad3d4975e27b7fa763b32dc5994c7c8fc909a1833525d4850d0d5e150d3a217d19b280

Score
10/10

Malware Config

Signatures

  • Panda Stealer payload 3 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Passwords.txt.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c InstalledSoftware.txt | Wallets\Google_[Chrome]_Default_Metamask\000341.ldb
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\InstalledSoftware.txt
        3⤵
          PID:4076
        • C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Wallets\Google_[Chrome]_Default_Metamask\000341.ldb
          Wallets\Google_[Chrome]_Default_Metamask\000341.ldb
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3820
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
              work.exe -priverdD
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4672
              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetWindowsHookEx
                PID:1468

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
      Filesize

      35B

      MD5

      ff59d999beb970447667695ce3273f75

      SHA1

      316fa09f467ba90ac34a054daf2e92e6e2854ff8

      SHA256

      065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

      SHA512

      d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      Filesize

      1MB

      MD5

      51a361bef59e8460f51890dcf0cc4db5

      SHA1

      474593ed74808e4249b12e97e35cb3d386ec9b71

      SHA256

      b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

      SHA512

      f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      Filesize

      1MB

      MD5

      51a361bef59e8460f51890dcf0cc4db5

      SHA1

      474593ed74808e4249b12e97e35cb3d386ec9b71

      SHA256

      b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

      SHA512

      f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
      Filesize

      1MB

      MD5

      0b56d226dfd3e5771f0920e05940d408

      SHA1

      cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

      SHA256

      b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

      SHA512

      cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
      Filesize

      1MB

      MD5

      0b56d226dfd3e5771f0920e05940d408

      SHA1

      cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

      SHA256

      b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

      SHA512

      cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
      Filesize

      1MB

      MD5

      0b56d226dfd3e5771f0920e05940d408

      SHA1

      cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

      SHA256

      b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

      SHA512

      cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

    • memory/1468-152-0x0000000000C80000-0x000000000108A000-memory.dmp
      Filesize

      4MB

    • memory/1468-153-0x0000000000C80000-0x000000000108A000-memory.dmp
      Filesize

      4MB

    • memory/1468-154-0x0000000000C80000-0x000000000108A000-memory.dmp
      Filesize

      4MB

    • memory/1468-155-0x0000000000C80000-0x000000000108A000-memory.dmp
      Filesize

      4MB