Overview

overview

10

Static

static

615c8b816f...3f.exe

windows7_x64

10

615c8b816f...3f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    615c8b816f4ecf1acfd5418a44b19e3f.exe

  • Size

    92KB

  • MD5

    76187f5f99dffd2633a9877ed93dfbe6

  • SHA1

    8643ef0fd80a232d5b7c91fece9437a8c09af48e

  • SHA256

    1cb62ba1c9e13ce33e23dc9a015e37b50ac97359ffe85b500d03d47b417156cc

  • SHA512

    a3ae4aad347667aae86780af6ae2fec4c1b9782287da622845857945a8a3552b059c575bf050611ea53890b5fc2b27e8db06f77db93942a2bc2f484d473f411c

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2952
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2976
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:3060
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3128
            • C:\Users\Admin\AppData\Local\Temp\615c8b816f4ecf1acfd5418a44b19e3f.exe
              "C:\Users\Admin\AppData\Local\Temp\615c8b816f4ecf1acfd5418a44b19e3f.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:980
              • C:\Windows\SysWOW64\winver.exe
                winver
                3⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3288
          • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
            "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
            1⤵
              PID:3376
            • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
              1⤵
                PID:3400
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:3624
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3892
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                    1⤵
                      PID:2496

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2496-9-0x0000000000230000-0x0000000000236000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2952-1-0x0000000000D30000-0x0000000000D36000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2976-2-0x0000000000D30000-0x0000000000D36000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3060-3-0x0000000000FF0000-0x0000000000FF6000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3128-4-0x00000000011D0000-0x00000000011D6000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3288-0-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3376-5-0x0000000000C00000-0x0000000000C06000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3400-6-0x0000000000270000-0x0000000000276000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3624-7-0x0000000000300000-0x0000000000306000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3892-8-0x00000000005B0000-0x00000000005B6000-memory.dmp
                      Filesize

                      24KB

                      Download