Analysis Overview
SHA256
ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5
Threat Level: Known bad
The file ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5 was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-29 00:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-29 00:05
Reported
2022-10-29 03:15
Platform
win7-20220901-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\EXPLORER.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DE1E8787 = "C:\\Users\\Admin\\AppData\\Roaming\\DE1E8787\\bin.exe" | C:\Windows\SysWOW64\EXPLORER.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe | C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe
"C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe"
C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe
"C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe"
C:\Windows\SysWOW64\EXPLORER.exe
EXPLORER
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | newfandultimati.cc | udp |
| US | 216.218.185.162:80 | newfandultimati.cc | tcp |
Files
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp
memory/1160-55-0x00000000001B0000-0x00000000002AA000-memory.dmp
memory/1160-57-0x0000000000400000-0x0000000001517000-memory.dmp
memory/1160-58-0x0000000000400000-0x0000000001517000-memory.dmp
memory/1160-60-0x0000000000400000-0x0000000001517000-memory.dmp
memory/1160-62-0x0000000000401000-mapping.dmp
memory/1720-61-0x00000000003A0000-0x00000000003A4000-memory.dmp
memory/1764-63-0x0000000000000000-mapping.dmp
memory/1160-64-0x0000000000400000-0x0000000000404600-memory.dmp
memory/1160-66-0x0000000001520000-0x0000000001F20000-memory.dmp
memory/1764-67-0x0000000074E61000-0x0000000074E63000-memory.dmp
memory/1764-68-0x0000000000150000-0x0000000000157000-memory.dmp
memory/1764-69-0x00000000777C0000-0x0000000077940000-memory.dmp
memory/1128-70-0x0000000000250000-0x0000000000257000-memory.dmp
memory/1128-76-0x0000000000250000-0x0000000000257000-memory.dmp
memory/1188-77-0x0000000000120000-0x0000000000127000-memory.dmp
memory/1224-78-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1764-79-0x0000000000150000-0x0000000000157000-memory.dmp
memory/1764-80-0x00000000777C0000-0x0000000077940000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-29 00:05
Reported
2022-10-29 03:15
Platform
win10v2004-20220901-en
Max time kernel
70s
Max time network
132s
Command Line
Signatures
Program crash
Processes
C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe
"C:\Users\Admin\AppData\Local\Temp\ce89251c64e775fc7c2a61e6a601e832244e3f1f0668d19eac421dff8d1956d5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.24:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 88.221.25.155:80 | tcp |