Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 23:03
General
-
Target
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe
-
Size
98KB
-
MD5
cd1a70fc9e006494a67c2e70981651c9
-
SHA1
1dee7ceb1f8e915f7a62736eb60e1ef84e4c2933
-
SHA256
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898
-
SHA512
50c34689b8249999480fa2889e84f06f5bf2683bef246ce5f898f907e92d9eb208744cba15a599a9a531b48ef987ffcd486909716d0fb056f02ef6431e067c37
Score
10/10
Malware Config
Signatures
-
Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe"C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exeC:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-70-0x0000000000210000-0x0000000000216000-memory.dmpFilesize
24KB
-
memory/1176-68-0x0000000000BF0000-0x0000000000C06000-memory.dmpFilesize
88KB
-
memory/1176-72-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1176-69-0x0000000000150000-0x0000000000156000-memory.dmpFilesize
24KB
-
memory/1176-66-0x0000000000000000-mapping.dmp
-
memory/1200-71-0x0000000001AC0000-0x0000000001AC6000-memory.dmpFilesize
24KB
-
memory/1244-73-0x0000000002580000-0x0000000002586000-memory.dmpFilesize
24KB
-
memory/1244-74-0x0000000002990000-0x0000000002996000-memory.dmpFilesize
24KB
-
memory/1244-76-0x0000000077990000-0x0000000077991000-memory.dmpFilesize
4KB
-
memory/1244-75-0x00000000779A0000-0x00000000779A1000-memory.dmpFilesize
4KB
-
memory/1244-77-0x0000000077980000-0x0000000077981000-memory.dmpFilesize
4KB
-
memory/1628-63-0x00000000001F0000-0x00000000001F4000-memory.dmpFilesize
16KB
-
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2040-65-0x0000000001870000-0x0000000002270000-memory.dmpFilesize
10.0MB
-
memory/2040-64-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/2040-62-0x0000000000401000-mapping.dmp
-
memory/2040-61-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB