Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 14:10
General
-
Target
af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6.exe
-
Size
98KB
-
MD5
fd05bfc52fed79af0b2d06e3841c578d
-
SHA1
4bee39b7d36f71f49fbc6eb702ef76102544ea36
-
SHA256
af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6
-
SHA512
f2c81027c269f7bd3979532cd9f7168fbd0e5637919c8267184118cc93657ea248619fe9078496904466bc8c74372fe3eb19c4fda95dba7ad67ce28f1056c176
Score
10/10
Malware Config
Signatures
-
Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3872 -s 8362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6.exe"C:\Users\Admin\AppData\Local\Temp\af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6.exeC:\Users\Admin\AppData\Local\Temp\af57c74d8a1eb56ce2647076959da9b933a7aeaf27bce93d088c3f8cf715a2a6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-132-0x00007FFDAE930000-0x00007FFDAE931000-memory.dmpFilesize
4KB
-
memory/424-131-0x00007FFDAE940000-0x00007FFDAE941000-memory.dmpFilesize
4KB
-
memory/424-130-0x00007FFDAE920000-0x00007FFDAE921000-memory.dmpFilesize
4KB
-
memory/736-117-0x0000000000000000-mapping.dmp
-
memory/736-120-0x0000000000AF0000-0x0000000000C3A000-memory.dmpFilesize
1.3MB
-
memory/736-126-0x00000000045E0000-0x00000000045E6000-memory.dmpFilesize
24KB
-
memory/2344-122-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB
-
memory/2360-124-0x00000000006C0000-0x00000000006C6000-memory.dmpFilesize
24KB
-
memory/2488-125-0x0000000000D00000-0x0000000000D06000-memory.dmpFilesize
24KB
-
memory/2900-123-0x0000000001010000-0x0000000001016000-memory.dmpFilesize
24KB
-
memory/2900-121-0x0000000001000000-0x0000000001006000-memory.dmpFilesize
24KB
-
memory/2900-133-0x00007FFDAE940000-0x00007FFDAE941000-memory.dmpFilesize
4KB
-
memory/3596-128-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/3616-127-0x0000000000CB0000-0x0000000000CB6000-memory.dmpFilesize
24KB
-
memory/4280-119-0x0000000001710000-0x0000000002110000-memory.dmpFilesize
10.0MB
-
memory/4280-118-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/4280-116-0x0000000000401000-mapping.dmp
-
memory/4280-115-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB
-
memory/4800-114-0x00000000009D0000-0x00000000009D4000-memory.dmpFilesize
16KB