tinba | 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8

General

Target

8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
Size

160KB
MD5

bb7975b2ba7ca271e5e75628c4f648ac
SHA1

f9741d1c73c53c736fb19e51123f3325db5e9b32
SHA256

8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8
SHA512

3e73a69972d65dceeb44e01015fd4e3eb5abfce9d0029a2ce54d29248071690337e872de84a396e86291bc12f33ef7769b15f1c257dc87694dfaba21ee5f51bd

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\09B9844E = "C:\\Users\\Admin\\AppData\\Roaming\\09B9844E\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe

description	pid	process	target process
PID 656 set thread context of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2372 3876 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2372	3876	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exeWerFault.exe

pid	process
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe
3588	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE

pid	process
3092	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WerFault.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2372	WerFault.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

3588 winver.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe

pid process

656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE

pid	process
656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe

pid	process
3092	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exewinver.exe

description	pid	process	target process
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 656 wrote to memory of 3916	656	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
PID 3916 wrote to memory of 3588	3916	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	winver.exe
PID 3916 wrote to memory of 3588	3916	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	winver.exe
PID 3916 wrote to memory of 3588	3916	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	winver.exe
PID 3916 wrote to memory of 3588	3916	8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe	winver.exe
PID 3588 wrote to memory of 3092	3588	winver.exe	Explorer.EXE
PID 3588 wrote to memory of 2880	3588	winver.exe	sihost.exe
PID 3588 wrote to memory of 2896	3588	winver.exe	svchost.exe
PID 3588 wrote to memory of 2972	3588	winver.exe	taskhostw.exe
PID 3588 wrote to memory of 3092	3588	winver.exe	Explorer.EXE
PID 3588 wrote to memory of 3348	3588	winver.exe	ShellExperienceHost.exe
PID 3588 wrote to memory of 3360	3588	winver.exe	SearchUI.exe
PID 3588 wrote to memory of 3604	3588	winver.exe	RuntimeBroker.exe
PID 3588 wrote to memory of 3876	3588	winver.exe	DllHost.exe
PID 3588 wrote to memory of 3568	3588	winver.exe	DllHost.exe
PID 3588 wrote to memory of 200	3588	winver.exe
PID 3588 wrote to memory of 2372	3588	winver.exe	WerFault.exe
PID 3588 wrote to memory of 2112	3588	winver.exe	slui.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3092

C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
"C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
"C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\winver.exe
winver
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3876 -s 864
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3604

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3360

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3348

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2972

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2896

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3568

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-132-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/2372-130-0x00007FFDDF9D0000-0x00007FFDDF9D1000-memory.dmp

Filesize
4KB

Download
memory/2372-129-0x0000000000F80000-0x0000000000F87000-memory.dmp

Filesize
28KB

Download
memory/2880-123-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/2896-125-0x0000000000B70000-0x0000000000B77000-memory.dmp

Filesize
28KB

Download
memory/2972-126-0x00000000009A0000-0x00000000009A7000-memory.dmp

Filesize
28KB

Download
memory/3092-124-0x0000000000A30000-0x0000000000A37000-memory.dmp

Filesize
28KB

Download
memory/3092-122-0x0000000000A20000-0x0000000000A27000-memory.dmp

Filesize
28KB

Download
memory/3092-131-0x00007FFDDF9E0000-0x00007FFDDF9E1000-memory.dmp

Filesize
4KB

Download
memory/3568-128-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/3588-121-0x0000000001190000-0x0000000001197000-memory.dmp

Filesize
28KB

Download
memory/3588-118-0x0000000000000000-mapping.dmp

Download
memory/3604-127-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/3916-116-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3916-120-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/3916-117-0x0000000000401000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads