Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 02:00

General

  • Target

    b8abcf4ca1f0843a3eedefbde7a6d23ba97d6799ed41e65e51e9e07c38ee6a2b.exe

  • Size

    225KB

  • MD5

    3924b63a3fcc471a71870994c8384cb3

  • SHA1

    dddec0589cae6896e54434b01e16bc2f2c10f3ce

  • SHA256

    b8abcf4ca1f0843a3eedefbde7a6d23ba97d6799ed41e65e51e9e07c38ee6a2b

  • SHA512

    587502167457afc7fd986c3b5a5431b715c1aebb9632d6c4cbe924124ee87a6b6f591520473cbb4878d78526d31d3424988071db898fdc71f8ecdcf48d3bd3c7

  • SSDEEP

    6144:xA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:xATuTAnKGwUAW3ycQqgf

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\b8abcf4ca1f0843a3eedefbde7a6d23ba97d6799ed41e65e51e9e07c38ee6a2b.exe
            "C:\Users\Admin\AppData\Local\Temp\b8abcf4ca1f0843a3eedefbde7a6d23ba97d6799ed41e65e51e9e07c38ee6a2b.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2904

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1100-9-0x0000000000250000-0x0000000000256000-memory.dmp
          Filesize

          24KB

        • memory/1100-23-0x0000000000250000-0x0000000000256000-memory.dmp
          Filesize

          24KB

        • memory/1160-25-0x0000000002010000-0x0000000002016000-memory.dmp
          Filesize

          24KB

        • memory/1160-12-0x0000000002010000-0x0000000002016000-memory.dmp
          Filesize

          24KB

        • memory/1192-24-0x0000000002DC0000-0x0000000002DC6000-memory.dmp
          Filesize

          24KB

        • memory/1192-15-0x0000000002DC0000-0x0000000002DC6000-memory.dmp
          Filesize

          24KB

        • memory/1192-3-0x0000000002DB0000-0x0000000002DB6000-memory.dmp
          Filesize

          24KB

        • memory/1192-6-0x0000000002DB0000-0x0000000002DB6000-memory.dmp
          Filesize

          24KB

        • memory/1192-1-0x0000000002DB0000-0x0000000002DB6000-memory.dmp
          Filesize

          24KB

        • memory/2188-22-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

        • memory/2904-20-0x0000000000210000-0x0000000000216000-memory.dmp
          Filesize

          24KB

        • memory/2904-4-0x0000000000120000-0x0000000000126000-memory.dmp
          Filesize

          24KB

        • memory/2904-27-0x0000000000210000-0x0000000000216000-memory.dmp
          Filesize

          24KB