Analysis Overview
SHA256
ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d
Threat Level: Known bad
The file ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Tinba / TinyBanker
UPX dump on OEP (original entry point)
UPX packed file
Adds Run key to start application
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 05:05
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 05:05
Reported
2024-06-20 05:07
Platform
win7-20240611-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Tinba / TinyBanker
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDD4AFD7 = "C:\\Users\\Admin\\AppData\\Roaming\\CDD4AFD7\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe
"C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
Files
memory/2248-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2248-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1308-3-0x0000000002790000-0x0000000002796000-memory.dmp
memory/1308-2-0x0000000002790000-0x0000000002796000-memory.dmp
memory/1308-4-0x0000000002790000-0x0000000002796000-memory.dmp
memory/2248-5-0x0000000001C10000-0x0000000002610000-memory.dmp
memory/1420-11-0x00000000779E0000-0x0000000077B89000-memory.dmp
memory/1308-10-0x0000000077A31000-0x0000000077A32000-memory.dmp
memory/1420-9-0x0000000077BDF000-0x0000000077BE1000-memory.dmp
memory/1420-8-0x0000000077BDF000-0x0000000077BE0000-memory.dmp
memory/1420-7-0x0000000077BE0000-0x0000000077BE1000-memory.dmp
memory/1420-6-0x0000000000100000-0x0000000000106000-memory.dmp
memory/2248-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2248-13-0x0000000001C10000-0x0000000002610000-memory.dmp
memory/1272-20-0x0000000000120000-0x0000000000126000-memory.dmp
memory/1308-22-0x0000000002740000-0x0000000002746000-memory.dmp
memory/1308-26-0x0000000002740000-0x0000000002746000-memory.dmp
memory/1272-25-0x0000000000120000-0x0000000000126000-memory.dmp
memory/1208-24-0x0000000077A31000-0x0000000077A32000-memory.dmp
memory/1208-23-0x0000000001CC0000-0x0000000001CC6000-memory.dmp
memory/1420-30-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1420-31-0x0000000000100000-0x0000000000106000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 05:05
Reported
2024-06-20 05:07
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
133s
Command Line
Signatures
Tinba / TinyBanker
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EC424DDB = "C:\\Users\\Admin\\AppData\\Roaming\\EC424DDB\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\winver.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe | C:\Windows\SysWOW64\winver.exe |
| PID 1720 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe | C:\Windows\SysWOW64\winver.exe |
| PID 1720 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe | C:\Windows\SysWOW64\winver.exe |
| PID 1720 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe | C:\Windows\SysWOW64\winver.exe |
| PID 2716 wrote to memory of 3544 | N/A | C:\Windows\SysWOW64\winver.exe | C:\Windows\Explorer.EXE |
| PID 2716 wrote to memory of 2464 | N/A | C:\Windows\SysWOW64\winver.exe | C:\Windows\system32\sihost.exe |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe
"C:\Users\Admin\AppData\Local\Temp\ecd3cef94588edc92a329889d6486d8834d113dd9e8c354da8a808ed7abc8e7d.exe"
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2716 -ip 2716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 352
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1720-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1720-1-0x0000000000680000-0x0000000000681000-memory.dmp
memory/3544-3-0x0000000000A80000-0x0000000000A86000-memory.dmp
memory/3544-2-0x0000000000A80000-0x0000000000A86000-memory.dmp
memory/1720-4-0x0000000002180000-0x0000000002B80000-memory.dmp
memory/3544-6-0x00007FFEBB34D000-0x00007FFEBB34E000-memory.dmp
memory/2716-5-0x00000000775E2000-0x00000000775E3000-memory.dmp
memory/2716-7-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp
memory/3544-8-0x00007FFEBB4E0000-0x00007FFEBB4E1000-memory.dmp
memory/1720-10-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1720-11-0x0000000002180000-0x0000000002B80000-memory.dmp
memory/3544-12-0x00007FFEBB4C0000-0x00007FFEBB4C1000-memory.dmp
memory/2716-14-0x0000000001330000-0x0000000001336000-memory.dmp
memory/2464-16-0x0000000000710000-0x0000000000716000-memory.dmp
memory/2716-17-0x0000000001330000-0x0000000001336000-memory.dmp