tinba | 72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
09-05-2021 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
Size

98KB
MD5

43d66dfcb07797f1b77ac430a7154d29
SHA1

f86291f73c5777385161cd99c00f953518a7beaa
SHA256

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428
SHA512

d5fb27f44f2d6d5859f25dad8066f1726dc8115c855e9a444985784a4145d318ab5109a737e41ee94828aee5e921c520c5c04b39694678db2f83a541832517fb

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	winver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\DED2744A = "C:\\Users\\Admin\\AppData\\Roaming\\DED2744A\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe

description	pid	process	target process
PID 3968 set thread context of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2512 3800 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2512	3800	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exewinver.exeWerFault.exe

pid	process
3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
2584	winver.exe
2584	winver.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe
2584	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2504 Explorer.EXE

pid	process
2504	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Explorer.EXEWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeDebugPrivilege	2512	WerFault.exe
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE
Token: SeShutdownPrivilege	2504	Explorer.EXE
Token: SeCreatePagefilePrivilege	2504	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2584 winver.exe

pid	process
2584	winver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe

pid	process
3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exewinver.exe

description	pid	process	target process
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 3968 wrote to memory of 2328	3968	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
PID 2328 wrote to memory of 2584	2328	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	winver.exe
PID 2328 wrote to memory of 2584	2328	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	winver.exe
PID 2328 wrote to memory of 2584	2328	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	winver.exe
PID 2328 wrote to memory of 2584	2328	72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe	winver.exe
PID 2584 wrote to memory of 2504	2584	winver.exe	Explorer.EXE
PID 2584 wrote to memory of 2576	2584	winver.exe	sihost.exe
PID 2584 wrote to memory of 2640	2584	winver.exe	svchost.exe
PID 2584 wrote to memory of 2840	2584	winver.exe	taskhostw.exe
PID 2584 wrote to memory of 2504	2584	winver.exe	Explorer.EXE
PID 2584 wrote to memory of 3324	2584	winver.exe	ShellExperienceHost.exe
PID 2584 wrote to memory of 3344	2584	winver.exe	SearchUI.exe
PID 2584 wrote to memory of 3540	2584	winver.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 3800	2584	winver.exe	DllHost.exe
PID 2584 wrote to memory of 2168	2584	winver.exe	DllHost.exe
PID 2584 wrote to memory of 2272	2584	winver.exe
PID 2584 wrote to memory of 2512	2584	winver.exe	WerFault.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3324

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Local\Temp\72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
"C:\Users\Admin\AppData\Local\Temp\72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
C:\Users\Admin\AppData\Local\Temp\72d79cddb1cc5108c6b187cb4f1d38c336db2c3a7efb2d9801a381d7e3898428.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\winver.exe
winver
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2584

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2640

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2576

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3800 -s 848
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-148-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-128-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-180-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-179-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-178-0x000001D97F460000-0x000001D97F470000-memory.dmp

Filesize
64KB

Download
memory/2168-177-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-163-0x000001D97EF80000-0x000001D97EF90000-memory.dmp

Filesize
64KB

Download
memory/2168-173-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-125-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-176-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-170-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-171-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-175-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-174-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-129-0x000001D97F4C0000-0x000001D97F4D0000-memory.dmp

Filesize
64KB

Download
memory/2168-132-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/2168-172-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-149-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-133-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-134-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-135-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-136-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-137-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-138-0x000001D97F4C0000-0x000001D97F4D0000-memory.dmp

Filesize
64KB

Download
memory/2168-139-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-140-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-141-0x000001D97EF80000-0x000001D97EF90000-memory.dmp

Filesize
64KB

Download
memory/2168-142-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-143-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-144-0x00007FFF4E190000-0x00007FFF4E191000-memory.dmp

Filesize
4KB

Download
memory/2168-145-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-146-0x000001D97F490000-0x000001D97F4A0000-memory.dmp

Filesize
64KB

Download
memory/2168-124-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-169-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-168-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-150-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-151-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-152-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-153-0x000001D97F490000-0x000001D97F4A0000-memory.dmp

Filesize
64KB

Download
memory/2168-154-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-155-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-156-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-158-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-159-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-162-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-161-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-160-0x000001D97F490000-0x000001D97F4A0000-memory.dmp

Filesize
64KB

Download
memory/2168-157-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-165-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-166-0x000001D97F460000-0x000001D97F470000-memory.dmp

Filesize
64KB

Download
memory/2168-167-0x000001D97EFE0000-0x000001D97EFF0000-memory.dmp

Filesize
64KB

Download
memory/2328-114-0x0000000000400000-0x000000000149A000-memory.dmp

Filesize
16.6MB

Download
memory/2328-118-0x0000000000400000-0x0000000000404400-memory.dmp

Filesize
17KB

Download
memory/2328-115-0x0000000000401000-mapping.dmp

Download
memory/2328-119-0x0000000001770000-0x0000000002170000-memory.dmp

Filesize
10.0MB

Download
memory/2504-121-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/2504-147-0x00007FFF4E1A0000-0x00007FFF4E1A1000-memory.dmp

Filesize
4KB

Download
memory/2504-130-0x00007FFF4E190000-0x00007FFF4E191000-memory.dmp

Filesize
4KB

Download
memory/2504-122-0x00000000008E0000-0x00000000008E6000-memory.dmp

Filesize
24KB

Download
memory/2512-164-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2576-123-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/2584-116-0x0000000000000000-mapping.dmp

Download
memory/2584-120-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/2640-126-0x0000000000E60000-0x0000000000E66000-memory.dmp

Filesize
24KB

Download
memory/2840-127-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/3540-131-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/3968-117-0x0000000000410000-0x00000000004BE000-memory.dmp

Filesize
696KB

Download