Overview

overview

10

Static

static

38d16e18bf...1a.exe

windows7_x64

10

38d16e18bf...1a.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe

  • Size

    69KB

  • MD5

    4e9fcd33f8ae7d02858946f86ce0a520

  • SHA1

    9269c7fc51b6c424f7f81c9f9a9c5b0a96aab183

  • SHA256

    38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a

  • SHA512

    4723a380921184bdbd51ac677fab270c742a65baf60cba7b5e1e845254915cf32d40e37ea796a76193a12607e0f1957e5c29c2c3371f0f834cb1504a4cfaa7ba

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2336
    • c:\windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2460
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
        1⤵
          PID:2356
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:2568
          • C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
            "C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3024
        • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
          "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
          1⤵
            PID:3248
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3744
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3744 -s 836
                2⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:684
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3484
              • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                1⤵
                  PID:3256
                • C:\Windows\System32\slui.exe
                  C:\Windows\System32\slui.exe -Embedding
                  1⤵
                    PID:2328

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/684-127-0x00007FFBBC470000-0x00007FFBBC471000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/684-125-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/684-126-0x00007FFBBC480000-0x00007FFBBC481000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/900-114-0x0000000000400000-0x0000000000413000-memory.dmp
                    Filesize

                    76KB

                    Download
                  • memory/900-116-0x0000000000420000-0x00000000004CE000-memory.dmp
                    Filesize

                    696KB

                    Download
                  • memory/900-117-0x0000000002660000-0x0000000003060000-memory.dmp
                    Filesize

                    10.0MB

                    Download
                  • memory/2328-129-0x00000000003A0000-0x00000000003A6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2336-121-0x0000000000F00000-0x0000000000F06000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2356-122-0x0000000000AF0000-0x0000000000AF6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2460-123-0x00000000004A0000-0x00000000004A6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2568-120-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2568-119-0x0000000000CD0000-0x0000000000CD6000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2568-128-0x00007FFBBC490000-0x00007FFBBC491000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3024-118-0x00000000025C0000-0x000000000270A000-memory.dmp
                    Filesize

                    1.3MB

                    Download
                  • memory/3024-115-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3484-124-0x00000000000D0000-0x00000000000D6000-memory.dmp
                    Filesize

                    24KB

                    Download