Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 23:34

General

  • Target

    7a2d5f53e59f04a34b317459201d55c853bc81884448da06f030a8bff0feb421.exe

  • Size

    225KB

  • MD5

    b1c3cf250437991bc52e7046251dc7bc

  • SHA1

    6321a7b20ab661ca6e2ad766d78db41919ea0fa7

  • SHA256

    7a2d5f53e59f04a34b317459201d55c853bc81884448da06f030a8bff0feb421

  • SHA512

    abac0e590ba1bac3ce9531c30aaf3a8552e33fffa462d05e754c01949d4290aa51be0248c3069b451f1e752e8486c7b3cfc37622da06271e0dd430dcb9a11ada

  • SSDEEP

    6144:BA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:BATuTAnKGwUAW3ycQqgf

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\7a2d5f53e59f04a34b317459201d55c853bc81884448da06f030a8bff0feb421.exe
            "C:\Users\Admin\AppData\Local\Temp\7a2d5f53e59f04a34b317459201d55c853bc81884448da06f030a8bff0feb421.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2536

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1112-21-0x0000000001F50000-0x0000000001F56000-memory.dmp
          Filesize

          24KB

        • memory/1112-11-0x0000000001F50000-0x0000000001F56000-memory.dmp
          Filesize

          24KB

        • memory/1176-14-0x00000000001C0000-0x00000000001C6000-memory.dmp
          Filesize

          24KB

        • memory/1176-23-0x00000000001C0000-0x00000000001C6000-memory.dmp
          Filesize

          24KB

        • memory/1204-17-0x0000000003120000-0x0000000003126000-memory.dmp
          Filesize

          24KB

        • memory/1204-3-0x0000000002A80000-0x0000000002A86000-memory.dmp
          Filesize

          24KB

        • memory/1204-6-0x0000000002A80000-0x0000000002A86000-memory.dmp
          Filesize

          24KB

        • memory/1204-1-0x0000000002A80000-0x0000000002A86000-memory.dmp
          Filesize

          24KB

        • memory/1204-22-0x0000000003120000-0x0000000003126000-memory.dmp
          Filesize

          24KB

        • memory/2536-20-0x00000000003D0000-0x00000000003D6000-memory.dmp
          Filesize

          24KB

        • memory/2536-4-0x0000000000170000-0x0000000000176000-memory.dmp
          Filesize

          24KB

        • memory/2536-25-0x00000000003D0000-0x00000000003D6000-memory.dmp
          Filesize

          24KB

        • memory/2880-8-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB