Overview

overview

10

Static

static

990c8f86de...4f.exe

windows7_x64

10

990c8f86de...4f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f.exe

  • Size

    98KB

  • MD5

    ee51ef645f1a1b2915d486577670912a

  • SHA1

    52f35e0ce3c11a0cae937cf24b58f42b5bd819b0

  • SHA256

    990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f

  • SHA512

    6f84dad1d70750d380221d9630d8f72756ee2f4cbb31838a9c726c3f89036e7f314572f2ada660fe7313e785991cf5ae19f41c83f7b3e58df157b28959b1b4f0

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2432
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2480
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2744
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:388
          • C:\Users\Admin\AppData\Local\Temp\990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f.exe
            "C:\Users\Admin\AppData\Local\Temp\990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:512
            • C:\Users\Admin\AppData\Local\Temp\990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f.exe
              C:\Users\Admin\AppData\Local\Temp\990c8f86de2171c0296ee222d7bf1a43efaec8a0653a6c042579b1317b55564f.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\SysWOW64\winver.exe
                winver
                4⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:2076
        • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
          "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
          1⤵
            PID:3264
          • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
            1⤵
              PID:3276
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3476
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3844
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3844 -s 848
                    2⤵
                    • Program crash
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3508
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:1464
                  • C:\Windows\System32\slui.exe
                    C:\Windows\System32\slui.exe -Embedding
                    1⤵
                      PID:2140

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/388-120-0x00007FF989CF0000-0x00007FF989CF1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/388-152-0x00007FF989D00000-0x00007FF989D01000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/388-123-0x0000000000190000-0x0000000000196000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/388-122-0x0000000000670000-0x0000000000676000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/512-117-0x0000000000A00000-0x0000000000A04000-memory.dmp
                      Filesize

                      16KB

                      Download
                    • memory/1464-135-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-146-0x00000219185B0000-0x00000219185C0000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-131-0x00007FF989CF0000-0x00007FF989CF1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1464-133-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-132-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-136-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-137-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-150-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-149-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-128-0x0000000000130000-0x0000000000136000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/1464-129-0x0000021918220000-0x0000021918230000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-148-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-134-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-147-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-144-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-143-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-145-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-138-0x00000219185B0000-0x00000219185C0000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-142-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-141-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-140-0x00000219185B0000-0x00000219185C0000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1464-139-0x0000021919D30000-0x0000021919D40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1584-119-0x0000000001790000-0x0000000002190000-memory.dmp
                      Filesize

                      10.0MB

                      Download
                    • memory/1584-115-0x0000000000401000-mapping.dmp
                      Download
                    • memory/1584-118-0x0000000000400000-0x0000000000404400-memory.dmp
                      Filesize

                      17KB

                      Download
                    • memory/1584-114-0x0000000000400000-0x000000000149A000-memory.dmp
                      Filesize

                      16.6MB

                      Download
                    • memory/2076-130-0x0000000004A80000-0x0000000004A86000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2076-116-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2076-121-0x0000000000E40000-0x0000000000EEE000-memory.dmp
                      Filesize

                      696KB

                      Download
                    • memory/2140-153-0x0000000000370000-0x0000000000376000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2432-124-0x0000000000810000-0x0000000000816000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2480-125-0x0000000000700000-0x0000000000706000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2744-126-0x0000000000800000-0x0000000000806000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3476-127-0x0000000000EB0000-0x0000000000EB6000-memory.dmp
                      Filesize

                      24KB

                      Download