tinba | 9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf

General

Target

9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe
Size

225KB
MD5

47f54d06e5c57d16c86d4288e762d75c
SHA1

dd8c8d497dcc76371c72edea24345472719cfccd
SHA256

9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf
SHA512

a786732ca3affd4b1dd7d6796693bbc0bd95616515a7284ba127895b9a51ce2805f162fc25cc9ec25eb43615149b74863e789204c6b249a5f5dc0691c1a515a3
SSDEEP

6144:FA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:FATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32DDD102 = "C:\\Users\\Admin\\AppData\\Roaming\\32DDD102\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe
4332	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

4332 winver.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exewinver.exe

description	pid	process	target process
PID 3184 wrote to memory of 4332	3184	9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe	winver.exe
PID 3184 wrote to memory of 4332	3184	9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe	winver.exe
PID 3184 wrote to memory of 4332	3184	9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe	winver.exe
PID 3184 wrote to memory of 4332	3184	9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe	winver.exe
PID 4332 wrote to memory of 3356	4332	winver.exe	Explorer.EXE
PID 4332 wrote to memory of 2416	4332	winver.exe	sihost.exe
PID 4332 wrote to memory of 2444	4332	winver.exe	svchost.exe
PID 4332 wrote to memory of 2628	4332	winver.exe	taskhostw.exe
PID 4332 wrote to memory of 3356	4332	winver.exe	Explorer.EXE
PID 4332 wrote to memory of 3512	4332	winver.exe	svchost.exe
PID 4332 wrote to memory of 3724	4332	winver.exe	DllHost.exe
PID 4332 wrote to memory of 3832	4332	winver.exe	StartMenuExperienceHost.exe
PID 4332 wrote to memory of 3936	4332	winver.exe	RuntimeBroker.exe
PID 4332 wrote to memory of 4036	4332	winver.exe	SearchApp.exe
PID 4332 wrote to memory of 4104	4332	winver.exe	RuntimeBroker.exe
PID 4332 wrote to memory of 2364	4332	winver.exe	RuntimeBroker.exe
PID 4332 wrote to memory of 3156	4332	winver.exe	TextInputHost.exe
PID 4332 wrote to memory of 652	4332	winver.exe	RuntimeBroker.exe
PID 4332 wrote to memory of 3112	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 2576	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 2100	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 2624	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 4556	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 4832	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 3200	4332	winver.exe	msedge.exe
PID 4332 wrote to memory of 3184	4332	winver.exe	9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe
PID 4332 wrote to memory of 4088	4332	winver.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2628

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe
"C:\Users\Admin\AppData\Local\Temp\9a66b08b371ec0741b6fcd8ee1a582fd748d7953bfff5c7da55b5e5bae9d92cf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2364

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3156

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ff9732e2e98,0x7ff9732e2ea4,0x7ff9732e2eb0
2⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:2
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:3
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3364 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
2⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5364 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
2⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5612 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:1
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
2⤵
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
85abb0f739500e83a8c2873388665f7c

SHA1
a7929d8e0d51302bb2f87fcf4192b5797e0b34ed

SHA256
1a76ff12e8d9a65557694eabf559a884861053990bb7e287ce34bd6be74733e0

SHA512
36dce48bc6afca6f3f0eb32e56b5822d1eec519a13b26f6a2c922fbc03ccc70d63a846c8a7b72a45c74570446a0b0371a88fc2b451ad512b53d668c127683d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
5dc2ecf45e0682299ca605fdbafa8d25

SHA1
366c598ede7da0ebb2cc49c3ae833728cec52931

SHA256
e8f4efa705df52ba48326a5090555ad8fa24991632778b1003a8ea0ff3b57bca

SHA512
d8c1ad990fcd808b21e8b56d5835f88ca2727e68c16dc9076be1de95654ee2a98f2d9e20942ff52edd66410a5c2ea195c3a2ff9f94c829ad9177b1431f2e923b

Download Submit
memory/652-34-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/652-20-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/2364-18-0x0000000000A30000-0x0000000000A36000-memory.dmp

Filesize
24KB

Download
memory/2364-36-0x0000000000A30000-0x0000000000A36000-memory.dmp

Filesize
24KB

Download
memory/2416-8-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/2416-26-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/2444-9-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/2444-33-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/2628-10-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/2628-32-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/3156-19-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/3156-35-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/3184-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3184-24-0x00000000046E0000-0x0000000004D38000-memory.dmp

Filesize
6.3MB

Download
memory/3184-2-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3184-1-0x00000000046E0000-0x0000000004D38000-memory.dmp

Filesize
6.3MB

Download
memory/3356-11-0x0000000001070000-0x0000000001076000-memory.dmp

Filesize
24KB

Download
memory/3356-4-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/3356-7-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/3356-25-0x0000000001070000-0x0000000001076000-memory.dmp

Filesize
24KB

Download
memory/3512-12-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/3512-31-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/3724-29-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/3724-13-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/3832-30-0x0000000000C70000-0x0000000000C76000-memory.dmp

Filesize
24KB

Download
memory/3832-14-0x0000000000C70000-0x0000000000C76000-memory.dmp

Filesize
24KB

Download
memory/3936-15-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/3936-27-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/4036-16-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/4104-28-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/4104-17-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/4332-5-0x0000000002850000-0x0000000002856000-memory.dmp

Filesize
24KB

Download
memory/4332-38-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download
memory/4332-21-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads