Analysis Overview
SHA256
e47ee59274ce5a54707089607ce972c889eb4940f953773d5792a299e476fe00
Threat Level: Known bad
The file dd71e38eb900f620adcdfee98633bb1a was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-20 15:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-20 15:48
Reported
2023-12-20 23:59
Platform
win10v2004-20231215-en
Max time kernel
5s
Max time network
57s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\dd71e38eb900f620adcdfee98633bb1a.exe
"C:\Users\Admin\AppData\Local\Temp\dd71e38eb900f620adcdfee98633bb1a.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | cbunahtesting.com | udp |
| US | 216.218.185.162:80 | cbunahtesting.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4136-0-0x0000000000400000-0x000000000045D000-memory.dmp
memory/4136-1-0x00000000006E0000-0x00000000006E2000-memory.dmp
memory/4136-2-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3468-3-0x00000000008A0000-0x00000000008A7000-memory.dmp
memory/4136-6-0x0000000002730000-0x0000000003130000-memory.dmp
memory/3100-7-0x0000000000C50000-0x0000000000C57000-memory.dmp
memory/3468-5-0x00000000008A0000-0x00000000008A7000-memory.dmp
memory/3100-4-0x0000000000C50000-0x0000000000C57000-memory.dmp
memory/3468-9-0x00007FFBC65CD000-0x00007FFBC65CE000-memory.dmp
memory/3100-8-0x0000000076F62000-0x0000000076F63000-memory.dmp
memory/3100-10-0x0000000000460000-0x0000000000472000-memory.dmp
memory/4136-12-0x0000000000400000-0x0000000000404A00-memory.dmp
memory/4136-13-0x0000000002730000-0x0000000003130000-memory.dmp
memory/2816-16-0x0000000000640000-0x0000000000647000-memory.dmp
memory/3468-17-0x0000000000940000-0x0000000000947000-memory.dmp
memory/2564-20-0x0000000000A40000-0x0000000000A47000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-20 15:48
Reported
2023-12-20 23:58
Platform
win7-20231215-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\6997D774 = "C:\\Users\\Admin\\AppData\\Roaming\\6997D774\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd71e38eb900f620adcdfee98633bb1a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\dd71e38eb900f620adcdfee98633bb1a.exe
"C:\Users\Admin\AppData\Local\Temp\dd71e38eb900f620adcdfee98633bb1a.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | cbunahtesting.com | udp |
| US | 216.218.185.162:80 | cbunahtesting.com | tcp |
| US | 8.8.8.8:53 | rstmnryjbwhh.com | udp |
| US | 8.8.8.8:53 | rstmnryjbwhh.net | udp |
| US | 216.218.185.162:80 | rstmnryjbwhh.net | tcp |
| US | 8.8.8.8:53 | xgfvwviqgplg.com | udp |
| US | 162.249.66.128:80 | xgfvwviqgplg.com | tcp |
| US | 8.8.8.8:53 | lhponcvvrckl.com | udp |
| US | 216.218.185.162:80 | lhponcvvrckl.com | tcp |
| US | 8.8.8.8:53 | mmqyunmssbgl.com | udp |
| US | 216.218.185.162:80 | mmqyunmssbgl.com | tcp |
| US | 8.8.8.8:53 | bunipxttfccq.com | udp |
| US | 8.8.8.8:53 | bunipxttfccq.net | udp |
| US | 8.8.8.8:53 | bunipxttfccq.info | udp |
| US | 216.218.185.162:80 | bunipxttfccq.info | tcp |
| US | 8.8.8.8:53 | pvrjjbumhwji.com | udp |
| US | 8.8.8.8:53 | pvrjjbumhwji.net | udp |
| US | 8.8.8.8:53 | pvrjjbumhwji.info | udp |
| US | 216.218.185.162:80 | pvrjjbumhwji.info | tcp |
| US | 8.8.8.8:53 | dxdkeferjcfk.com | udp |
| US | 8.8.8.8:53 | dxdkeferjcfk.net | udp |
| US | 8.8.8.8:53 | dxdkeferjcfk.info | udp |
| US | 216.218.185.162:80 | dxdkeferjcfk.info | tcp |
| US | 8.8.8.8:53 | pillyeunkcol.com | udp |
| US | 216.218.185.162:80 | pillyeunkcol.com | tcp |
| US | 8.8.8.8:53 | vpblhsrxfneu.com | udp |
| US | 8.8.8.8:53 | vpblhsrxfneu.net | udp |
| US | 8.8.8.8:53 | vpblhsrxfneu.info | udp |
| US | 216.218.185.162:80 | vpblhsrxfneu.info | tcp |
| US | 8.8.8.8:53 | xcwvsjooinil.com | udp |
| US | 8.8.8.8:53 | xcwvsjooinil.net | udp |
| US | 8.8.8.8:53 | xcwvsjooinil.info | udp |
| US | 216.218.185.162:80 | xcwvsjooinil.info | tcp |
| US | 8.8.8.8:53 | hcupmpmnmrjx.com | udp |
| US | 8.8.8.8:53 | hcupmpmnmrjx.net | udp |
| US | 8.8.8.8:53 | hcupmpmnmrjx.info | udp |
| US | 216.218.185.162:80 | hcupmpmnmrjx.info | tcp |
| US | 8.8.8.8:53 | evlxxhojibgd.com | udp |
| US | 8.8.8.8:53 | evlxxhojibgd.net | udp |
| US | 8.8.8.8:53 | evlxxhojibgd.info | udp |
| US | 216.218.185.162:80 | evlxxhojibgd.info | tcp |
| US | 8.8.8.8:53 | nueyydsowckx.com | udp |
| US | 8.8.8.8:53 | nueyydsowckx.net | udp |
| US | 8.8.8.8:53 | nueyydsowckx.info | udp |
| US | 216.218.185.162:80 | nueyydsowckx.info | tcp |
| US | 8.8.8.8:53 | pmlmfbehhunq.com | udp |
| US | 8.8.8.8:53 | pmlmfbehhunq.net | udp |
| US | 8.8.8.8:53 | pmlmfbehhunq.info | udp |
| US | 216.218.185.162:80 | pmlmfbehhunq.info | tcp |
| US | 8.8.8.8:53 | txvtsntdbjjx.com | udp |
| US | 8.8.8.8:53 | txvtsntdbjjx.net | udp |
| US | 8.8.8.8:53 | txvtsntdbjjx.info | udp |
| US | 216.218.185.162:80 | txvtsntdbjjx.info | tcp |
| US | 8.8.8.8:53 | byckuugigtut.com | udp |
| US | 8.8.8.8:53 | byckuugigtut.net | udp |
| US | 8.8.8.8:53 | byckuugigtut.info | udp |
| US | 216.218.185.162:80 | byckuugigtut.info | tcp |
| US | 8.8.8.8:53 | pgqdgjidhtlt.com | udp |
| US | 8.8.8.8:53 | pgqdgjidhtlt.net | udp |
| US | 8.8.8.8:53 | pgqdgjidhtlt.info | udp |
| US | 216.218.185.162:80 | pgqdgjidhtlt.info | tcp |
| US | 8.8.8.8:53 | tynxckfcgfej.com | udp |
| US | 8.8.8.8:53 | tynxckfcgfej.net | udp |
| US | 8.8.8.8:53 | tynxckfcgfej.info | udp |
| US | 216.218.185.162:80 | tynxckfcgfej.info | tcp |
Files
memory/2144-0-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2144-2-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2144-1-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2144-4-0x0000000002100000-0x0000000002B00000-memory.dmp
memory/2532-6-0x0000000000120000-0x0000000000127000-memory.dmp
memory/2532-8-0x000000007737F000-0x0000000077380000-memory.dmp
memory/2532-14-0x0000000000A40000-0x0000000000A56000-memory.dmp
memory/2532-15-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1232-13-0x00000000771D1000-0x00000000771D2000-memory.dmp
memory/2532-12-0x0000000077380000-0x0000000077381000-memory.dmp
memory/2532-11-0x000000007737F000-0x0000000077381000-memory.dmp
memory/1232-10-0x0000000002D10000-0x0000000002D17000-memory.dmp
memory/2532-7-0x0000000000120000-0x0000000000127000-memory.dmp
memory/1232-5-0x0000000002D10000-0x0000000002D17000-memory.dmp
memory/1232-3-0x0000000002D10000-0x0000000002D17000-memory.dmp
memory/2532-16-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2144-17-0x0000000000400000-0x0000000000404A00-memory.dmp
memory/2144-18-0x0000000002100000-0x0000000002B00000-memory.dmp
memory/804-29-0x0000000000150000-0x0000000000157000-memory.dmp
memory/1232-26-0x0000000002D50000-0x0000000002D57000-memory.dmp
memory/1164-23-0x00000000002C0000-0x00000000002C7000-memory.dmp
memory/804-35-0x00000000771D1000-0x00000000771D2000-memory.dmp
memory/804-34-0x0000000000150000-0x0000000000157000-memory.dmp
memory/1232-33-0x0000000002D50000-0x0000000002D57000-memory.dmp
memory/1164-32-0x00000000002C0000-0x00000000002C7000-memory.dmp
memory/1108-31-0x00000000771D1000-0x00000000771D2000-memory.dmp
memory/1108-30-0x00000000020F0000-0x00000000020F7000-memory.dmp
memory/1108-21-0x00000000020F0000-0x00000000020F7000-memory.dmp
memory/2532-41-0x0000000000120000-0x0000000000127000-memory.dmp