Overview

overview

10

Static

static

f0651ddfc0...87.exe

windows7_x64

10

f0651ddfc0...87.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-05-2021 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0651ddfc0e0f71cd0c77e82bc63f86a5253385c06ecd390c400bd1770e21787.exe

  • Size

    204KB

  • MD5

    b8eb55d872e3a6dd64af68af074a0bad

  • SHA1

    92fb042b52a0781110cd32eb959e2f5da1e36102

  • SHA256

    f0651ddfc0e0f71cd0c77e82bc63f86a5253385c06ecd390c400bd1770e21787

  • SHA512

    057b7a4f3bec6d33530004c78d7e26fc79ee6cc7e7cfb08a15ee7b2f903d87f82d19f8638850932c1b09e7045b60495cc63b69a1c8a2f7139f93bbae4c7d28b7

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2344
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2376
      • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
        "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        1⤵
          PID:3248
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:3720
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3720 -s 848
              2⤵
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:204
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3456
            • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
              1⤵
                PID:3256
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of UnmapMainImage
                PID:8
                • C:\Users\Admin\AppData\Local\Temp\f0651ddfc0e0f71cd0c77e82bc63f86a5253385c06ecd390c400bd1770e21787.exe
                  "C:\Users\Admin\AppData\Local\Temp\f0651ddfc0e0f71cd0c77e82bc63f86a5253385c06ecd390c400bd1770e21787.exe"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:896
                  • C:\Windows\SysWOW64\winver.exe
                    winver
                    3⤵
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of WriteProcessMemory
                    PID:60
              • c:\windows\system32\taskhostw.exe
                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                1⤵
                  PID:2716
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:2588
                  • C:\Windows\System32\slui.exe
                    C:\Windows\System32\slui.exe -Embedding
                    1⤵
                      PID:1500

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/8-118-0x00000000006E0000-0x00000000006E6000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/8-127-0x00007FFD6AF40000-0x00007FFD6AF41000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/8-120-0x0000000000500000-0x0000000000506000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/8-119-0x00007FFD6AF30000-0x00007FFD6AF31000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/60-117-0x0000000002500000-0x000000000264A000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/60-116-0x0000000000000000-mapping.dmp
                      Download
                    • memory/60-126-0x0000000004010000-0x0000000004016000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/896-114-0x0000000002560000-0x0000000002562000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/896-115-0x0000000002570000-0x0000000002F70000-memory.dmp
                      Filesize

                      10.0MB

                      Download
                    • memory/2344-122-0x0000000000120000-0x0000000000126000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2376-121-0x0000000000950000-0x0000000000956000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2588-125-0x0000000000770000-0x0000000000776000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/2716-123-0x0000000000A10000-0x0000000000A16000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3456-124-0x0000000000E50000-0x0000000000E56000-memory.dmp
                      Filesize

                      24KB

                      Download