Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 13:46
Static task
static1
Behavioral task
behavioral1
Sample
be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
Resource
win10v2004-20241007-en
General
-
Target
be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe
-
Size
3.2MB
-
MD5
5256b4591f38e362966bf251ae756da0
-
SHA1
65c90a1a336dd3e1711aad8a7a4f763a14ac4eee
-
SHA256
be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82
-
SHA512
731b263ce7cc6fb94419d909cd207bcf346986f4dafc879766f5a7821b8f044bf76dc128dfee22b63f382f7f5627711a507faf8c2daf7d324e3c49250e9579c9
-
SSDEEP
98304:FV2NcsQ02VEnzsa9e0KugO2vdwSsKHqMvJ:FVicsz2V5gbgO2vdw1TQJ
Malware Config
Signatures
-
Panda Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000193b8-3.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 1248 setup.exe 2884 setup.tmp -
Loads dropped DLL 7 IoCs
pid Process 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 1248 setup.exe 2884 setup.tmp 2884 setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1276 wrote to memory of 1248 1276 be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe 29 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30 PID 1248 wrote to memory of 2884 1248 setup.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe"C:\Users\Admin\AppData\Local\Temp\be27bc8a9dab3b415bbc9bd1aec4d36b1a1cecc1e2d9fa298c87281479d7ef82N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\is-MCQVL.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MCQVL.tmp\setup.tmp" /SL5="$80154,38217423,126976,C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37.4MB
MD582f8e72006ca5cb716770d372931370c
SHA13ce41dede120a0e569cbcced815c08d5eb0bbd31
SHA2569e89eeb3a5728cf7b588985a9f07d373b7f66a6c46bbacf5f77d6e0d871683ec
SHA512867055d23a5b919b6fab35b437eab23a06229919567749683259688c226244867e1a1b6c0ef87cb171decdfdb73968456cc3173edd6742d1bb9034caef4038ab
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
742KB
MD5b30a9d7ad8891e64d00801bf131a42e5
SHA15a6a9df99ec0dd52c1ca18a07f91844fb13af939
SHA256abe5a742e7594b494f9a70dcc03731b47294ab12a9a2227f8d86582da0b75558
SHA51262dd2d8ea04832390330a3743600b1abd675d460812a2fa503a564cee1e372afb664dc5dcaca939dba126570ff8cef5089bc9cb8bdcda03f408e4623d99b3384