Overview

overview

10

Static

static

0f3bfa748a...95.exe

windows7_x64

10

0f3bfa748a...95.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f3bfa748a771b5e6498d584c15e6995.exe

  • Size

    168KB

  • MD5

    9a386bbb2de614c64284f2bd63570ff0

  • SHA1

    e3ed06a92cb6fb11b2351ce924350937159d0d16

  • SHA256

    653c78ce95354e4c3e7a24d3d33de2eac505cc2fd943992c859418813469c4e8

  • SHA512

    0668662532992a9dce3987ea18dd0745bf18bc09a8d2cdfb1a505db2c3b404f24736d5c52467e8af4c6a7725e19bdd80c934ea14a6d5b5c262cb8371e5e08c02

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2836
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2856
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2992
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:2624
            • C:\Users\Admin\AppData\Local\Temp\0f3bfa748a771b5e6498d584c15e6995.exe
              "C:\Users\Admin\AppData\Local\Temp\0f3bfa748a771b5e6498d584c15e6995.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1144
              • C:\Windows\SysWOW64\winver.exe
                winver
                3⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:3768
          • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
            "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
            1⤵
              PID:3292
            • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
              1⤵
                PID:3308
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:3584
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3836

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2624-1-0x0000000000820000-0x0000000000826000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2624-5-0x0000000000790000-0x0000000000796000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2836-2-0x0000000000B10000-0x0000000000B16000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2856-3-0x0000000000990000-0x0000000000996000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2992-4-0x0000000000480000-0x0000000000486000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/3292-6-0x0000000000E80000-0x0000000000E86000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/3308-7-0x0000000000520000-0x0000000000526000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/3584-8-0x0000000000CC0000-0x0000000000CC6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/3768-0-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3836-9-0x0000000000510000-0x0000000000516000-memory.dmp
                    Filesize

                    24KB

                    Download