Overview

overview

10

Static

static

4550f60f52...50.exe

windows7_x64

10

4550f60f52...50.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4550f60f52e03add64e0f035325604114864a9f33593ab9da47b5179b375b650.exe

  • Size

    52KB

  • MD5

    3b245280e5b53c01f840d8c839b47e8b

  • SHA1

    0b17f102f6c2fb6d0429572d9826f6e549365a6f

  • SHA256

    4550f60f52e03add64e0f035325604114864a9f33593ab9da47b5179b375b650

  • SHA512

    3258952cf56e50b6d6a01f68a9ea1bf13ea801035a0aea1cf19313537fb0d385cfee398c50098c79275a506cdeda2a03e08046c8e9b88dfe7b2be183d91a6806

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2748
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
        PID:3264
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:3760
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3760 -s 852
            2⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:772
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3464
          • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
            1⤵
              PID:3276
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              PID:3060
              • C:\Users\Admin\AppData\Local\Temp\4550f60f52e03add64e0f035325604114864a9f33593ab9da47b5179b375b650.exe
                "C:\Users\Admin\AppData\Local\Temp\4550f60f52e03add64e0f035325604114864a9f33593ab9da47b5179b375b650.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:808
                • C:\Windows\SysWOW64\winver.exe
                  winver
                  3⤵
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:3172
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
              1⤵
                PID:2348
              • c:\windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:2332
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:3624
                  • C:\Windows\System32\slui.exe
                    C:\Windows\System32\slui.exe -Embedding
                    1⤵
                      PID:3864

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/772-128-0x00007FFA99460000-0x00007FFA99461000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/772-129-0x00007FFA99480000-0x00007FFA99481000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/772-130-0x00007FFA99470000-0x00007FFA99471000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/772-127-0x00000000006A0000-0x00000000006A6000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/808-116-0x0000000000470000-0x00000000005BA000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/808-117-0x00000000022A0000-0x0000000002CA0000-memory.dmp
                      Filesize

                      10.0MB

                      Download
                    • memory/808-114-0x0000000000400000-0x0000000000412000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/2332-121-0x0000000000F50000-0x0000000000F56000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2348-123-0x0000000000650000-0x0000000000656000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2748-124-0x0000000000320000-0x0000000000326000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3060-122-0x0000000001400000-0x0000000001406000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3060-120-0x00007FFA99470000-0x00007FFA99471000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/3060-119-0x0000000001600000-0x0000000001606000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3060-131-0x00007FFA99480000-0x00007FFA99481000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/3172-118-0x0000000002DE0000-0x0000000002F2A000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/3172-115-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3464-125-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3624-126-0x0000000000650000-0x0000000000656000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3864-132-0x00000000008B0000-0x00000000008B6000-memory.dmp
                      Filesize

                      24KB

                      Download