Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 13:29
General
-
Target
e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a.exe
-
Size
98KB
-
MD5
b051edf677d794088e2ebcea7ac8584b
-
SHA1
87a5b5aa6b06450ed2577a954c16cbc4841e4e03
-
SHA256
e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a
-
SHA512
2bf5af01c3a1afa5eca839bdad0fa9ac0cd87466ce29cde52469843d262fcee4b9712d4478bfd9bec855d8f5b968720f6b3d4891683b5093a46560098d2f9771
Score
10/10
Malware Config
Signatures
-
Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3704 -s 8402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a.exe"C:\Users\Admin\AppData\Local\Temp\e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a.exeC:\Users\Admin\AppData\Local\Temp\e6a7c4c68f583b72e1ca2bbf763202a91f2f27ac94824ee12725c913a9bc290a.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1580-119-0x0000000001710000-0x0000000002110000-memory.dmpFilesize
10.0MB
-
memory/1580-115-0x0000000000401000-mapping.dmp
-
memory/1580-114-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB
-
memory/1580-118-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/1656-152-0x0000020E7EE00000-0x0000020E7EE10000-memory.dmpFilesize
64KB
-
memory/1656-147-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-143-0x0000020E7ED30000-0x0000020E7ED40000-memory.dmpFilesize
64KB
-
memory/1656-164-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-163-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-123-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-124-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-142-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-162-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-155-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-154-0x0000020E7EE00000-0x0000020E7EE10000-memory.dmpFilesize
64KB
-
memory/1656-160-0x0000020E7EE00000-0x0000020E7EE10000-memory.dmpFilesize
64KB
-
memory/1656-141-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-159-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-132-0x0000000000A70000-0x0000000000A76000-memory.dmpFilesize
24KB
-
memory/1656-133-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-135-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-134-0x0000020E7F330000-0x0000020E7F340000-memory.dmpFilesize
64KB
-
memory/1656-139-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-140-0x0000020E7F330000-0x0000020E7F340000-memory.dmpFilesize
64KB
-
memory/1656-158-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-157-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-153-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-144-0x00007FFA483C0000-0x00007FFA483C1000-memory.dmpFilesize
4KB
-
memory/1656-145-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-156-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-146-0x0000020E7EE00000-0x0000020E7EE10000-memory.dmpFilesize
64KB
-
memory/1656-150-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1656-151-0x0000020E7F2E0000-0x0000020E7F30B000-memory.dmpFilesize
172KB
-
memory/1820-117-0x0000000000000000-mapping.dmp
-
memory/1820-120-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/2300-127-0x0000000000500000-0x0000000000506000-memory.dmpFilesize
24KB
-
memory/2308-128-0x0000000000430000-0x0000000000436000-memory.dmpFilesize
24KB
-
memory/2412-130-0x0000000000580000-0x0000000000586000-memory.dmpFilesize
24KB
-
memory/2756-125-0x00007FFA483D0000-0x00007FFA483D1000-memory.dmpFilesize
4KB
-
memory/2756-129-0x00007FFA483C0000-0x00007FFA483C1000-memory.dmpFilesize
4KB
-
memory/2756-126-0x0000000000770000-0x0000000000776000-memory.dmpFilesize
24KB
-
memory/2756-122-0x00007FFA483B0000-0x00007FFA483B1000-memory.dmpFilesize
4KB
-
memory/2756-121-0x00000000009C0000-0x00000000009C6000-memory.dmpFilesize
24KB
-
memory/3436-165-0x0000000000F10000-0x0000000000F16000-memory.dmpFilesize
24KB
-
memory/3480-131-0x0000000000DC0000-0x0000000000DC6000-memory.dmpFilesize
24KB
-
memory/3540-116-0x0000000000510000-0x000000000065A000-memory.dmpFilesize
1.3MB