Overview

overview

10

Static

static

de81c2c568...c8.exe

windows7_x64

10

de81c2c568...c8.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe

  • Size

    152KB

  • MD5

    bdf959504b5f4c4200e834929244b77b

  • SHA1

    5e802ffa9f31ed6eb20d0ead8795394b3003ff8c

  • SHA256

    de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8

  • SHA512

    028ea7463870901f73cb012dfc8210e567395dc3845f1952dbe41fc975157e3d24e8cbbc621b04c00361245181f10fe409a12b8c9979808b34a3026cbccff552

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe
      "C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe
        "C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\SysWOW64\winver.exe
          winver
          4⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1512
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
      PID:3372
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3872
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3872 -s 848
          2⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2144
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3584
        • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
          1⤵
            PID:3384
          • c:\windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2756
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
              1⤵
                PID:2484
              • c:\windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:2464
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:2500
                  • C:\Windows\System32\slui.exe
                    C:\Windows\System32\slui.exe -Embedding
                    1⤵
                      PID:3964

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1512-118-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1512-121-0x0000000002DE0000-0x0000000002DE7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/1700-129-0x00007FFFB71C0000-0x00007FFFB71C1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1700-122-0x0000000000F00000-0x0000000000F07000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/1700-123-0x0000000000F10000-0x0000000000F17000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2144-130-0x0000000000CE0000-0x0000000000CE7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2464-124-0x0000000000550000-0x0000000000557000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2484-125-0x00000000000E0000-0x00000000000E7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2500-128-0x0000000000BE0000-0x0000000000BE7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2756-126-0x00000000002F0000-0x00000000002F7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/3584-127-0x00000000009C0000-0x00000000009C7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/3700-116-0x0000000000400000-0x0000000000405000-memory.dmp
                      Filesize

                      20KB

                      Download
                    • memory/3700-120-0x0000000000650000-0x000000000079A000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/3700-117-0x0000000000401000-mapping.dmp
                      Download
                    • memory/3964-131-0x0000000000790000-0x0000000000797000-memory.dmp
                      Filesize

                      28KB

                      Download