Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 15:01
General
-
Target
c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad.exe
-
Size
136KB
-
MD5
bac4f0041be169bfafa94fb4df5bce5e
-
SHA1
b8c9bfe9f2f0233b357920ef1ac0cff5b9e96bf0
-
SHA256
c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad
-
SHA512
cead2dd3ea9efc1b344b5ffef853dfbbbd24dffbe42f99aba6fc07e6330c341ea844241aca602c2447107cf8916470111bebe56de6e337fe7f948ea495f8bcff
Score
10/10
Malware Config
Signatures
-
Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad.exe"C:\Users\Admin\AppData\Local\Temp\c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad.exeC:\Users\Admin\AppData\Local\Temp\c881fa9559c8df01392a329140262fb4881668dc6384a1642df3c4db3dda50ad.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 8562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1904-163-0x00000186CC890000-0x00000186CC8A0000-memory.dmpFilesize
64KB
-
memory/1904-144-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-170-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-169-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-172-0x00000186CC980000-0x00000186CC990000-memory.dmpFilesize
64KB
-
memory/1904-167-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-166-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-146-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-180-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-173-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-174-0x00000186CC980000-0x00000186CC990000-memory.dmpFilesize
64KB
-
memory/1904-165-0x00000186CC980000-0x00000186CC990000-memory.dmpFilesize
64KB
-
memory/1904-125-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-148-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-128-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-178-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-131-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-147-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-132-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-179-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-134-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-135-0x00000186CE0B0000-0x00000186CE0C0000-memory.dmpFilesize
64KB
-
memory/1904-136-0x0000000000AD0000-0x0000000000AD6000-memory.dmpFilesize
24KB
-
memory/1904-138-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-137-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-139-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-140-0x00000186CC890000-0x00000186CC8A0000-memory.dmpFilesize
64KB
-
memory/1904-141-0x00007FFF4E190000-0x00007FFF4E191000-memory.dmpFilesize
4KB
-
memory/1904-142-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-171-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-143-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-145-0x00000186CCAB0000-0x00000186CCAC0000-memory.dmpFilesize
64KB
-
memory/1904-164-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-127-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-175-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-149-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-151-0x00000186CCAB0000-0x00000186CCAC0000-memory.dmpFilesize
64KB
-
memory/1904-150-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-153-0x00000186CCAB0000-0x00000186CCAC0000-memory.dmpFilesize
64KB
-
memory/1904-152-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-154-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-155-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-156-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-158-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-159-0x00000186CCAB0000-0x00000186CCAC0000-memory.dmpFilesize
64KB
-
memory/1904-160-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-157-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-161-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-176-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/1904-177-0x00000186CCBB0000-0x00000186CCBC0000-memory.dmpFilesize
64KB
-
memory/2032-114-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB
-
memory/2032-119-0x00000000017A0000-0x00000000021A0000-memory.dmpFilesize
10.0MB
-
memory/2032-118-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/2032-116-0x0000000000401000-mapping.dmp
-
memory/2368-126-0x00000000047F0000-0x00000000047F6000-memory.dmpFilesize
24KB
-
memory/2368-120-0x00000000010D0000-0x00000000010D6000-memory.dmpFilesize
24KB
-
memory/2368-117-0x0000000000000000-mapping.dmp
-
memory/2504-121-0x00000000008E0000-0x00000000008E6000-memory.dmpFilesize
24KB
-
memory/2504-162-0x00007FFF4E1A0000-0x00007FFF4E1A1000-memory.dmpFilesize
4KB
-
memory/2504-130-0x0000000002310000-0x0000000002316000-memory.dmpFilesize
24KB
-
memory/2504-133-0x00007FFF4E190000-0x00007FFF4E191000-memory.dmpFilesize
4KB
-
memory/2576-122-0x00000000008F0000-0x00000000008F6000-memory.dmpFilesize
24KB
-
memory/2640-123-0x0000000000E60000-0x0000000000E66000-memory.dmpFilesize
24KB
-
memory/2840-129-0x0000000000F80000-0x0000000000F86000-memory.dmpFilesize
24KB
-
memory/2980-168-0x0000000000D70000-0x0000000000D76000-memory.dmpFilesize
24KB
-
memory/3540-124-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/3980-115-0x0000000002310000-0x0000000002314000-memory.dmpFilesize
16KB