Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:06
General
-
Target
b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe
-
Size
98KB
-
MD5
ba9a863ee56789ab796c5a83008596ee
-
SHA1
6e320537ec2dd84f763b76751c06f55ef5cd9233
-
SHA256
b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d
-
SHA512
f1e4ccef60b4b8bfbb62814dd28eadc1684444ebf6c1ac6482ff0cad9431333b182994e344af4f5c2a7c4b1b845ed6fa73c4ec2806ffbf8f8bc287c122c6a528
Score
10/10
Malware Config
Signatures
-
Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe"C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exeC:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3856 -s 8482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-116-0x0000000000000000-mapping.dmp
-
memory/64-121-0x0000000000D60000-0x0000000000D66000-memory.dmpFilesize
24KB
-
memory/636-140-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-133-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-142-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-134-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-132-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-135-0x0000011154430000-0x0000011154440000-memory.dmpFilesize
64KB
-
memory/636-143-0x0000011154450000-0x0000011154460000-memory.dmpFilesize
64KB
-
memory/636-144-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-124-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-141-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-139-0x00007FF96D110000-0x00007FF96D111000-memory.dmpFilesize
4KB
-
memory/636-138-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-137-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-130-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-148-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-131-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-136-0x00000000008D0000-0x00000000008D6000-memory.dmpFilesize
24KB
-
memory/636-147-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-146-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/636-145-0x0000011154420000-0x0000011154430000-memory.dmpFilesize
64KB
-
memory/2164-149-0x0000000000500000-0x0000000000506000-memory.dmpFilesize
24KB
-
memory/2856-126-0x0000000000870000-0x0000000000876000-memory.dmpFilesize
24KB
-
memory/2872-127-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/2976-128-0x0000000000410000-0x0000000000416000-memory.dmpFilesize
24KB
-
memory/3120-125-0x0000000001090000-0x0000000001096000-memory.dmpFilesize
24KB
-
memory/3120-123-0x00007FF96D120000-0x00007FF96D121000-memory.dmpFilesize
4KB
-
memory/3120-122-0x0000000001080000-0x0000000001086000-memory.dmpFilesize
24KB
-
memory/3120-118-0x00007FF96D110000-0x00007FF96D111000-memory.dmpFilesize
4KB
-
memory/3244-119-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/3244-114-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB
-
memory/3244-115-0x0000000000401000-mapping.dmp
-
memory/3244-120-0x0000000001620000-0x000000000176A000-memory.dmpFilesize
1.3MB
-
memory/3272-150-0x0000000000010000-0x0000000000016000-memory.dmpFilesize
24KB
-
memory/3588-129-0x0000000000E00000-0x0000000000E06000-memory.dmpFilesize
24KB
-
memory/4036-117-0x0000000000410000-0x00000000004BE000-memory.dmpFilesize
696KB