Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 20:49

General

  • Target

    1edfcd0d4fc5c270ea507d2d28913ad0N.exe

  • Size

    225KB

  • MD5

    1edfcd0d4fc5c270ea507d2d28913ad0

  • SHA1

    d42fb7913e8aa52488fa1887f6695fe09b7a97eb

  • SHA256

    0cbd571f2cbb15bcc922a2fef69b5de0fcce818df2835deeebffcd0481ce4832

  • SHA512

    ca04804f6b908507490dbfad137b10b406da6ebb72b8b9f2b1cb02fe7b1565056db6e937735962877a24e98b715d98a8f81095713e14e1bfbd4c7bed19a21145

  • SSDEEP

    6144:KA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:KATuTAnKGwUAW3ycQqgf

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe
          "C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\SysWOW64\winver.exe
            winver
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2716
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1100-28-0x0000000001F10000-0x0000000001F16000-memory.dmp

          Filesize

          24KB

        • memory/1100-9-0x0000000001F10000-0x0000000001F16000-memory.dmp

          Filesize

          24KB

        • memory/1164-12-0x00000000001B0000-0x00000000001B6000-memory.dmp

          Filesize

          24KB

        • memory/1164-29-0x00000000001B0000-0x00000000001B6000-memory.dmp

          Filesize

          24KB

        • memory/1200-6-0x0000000003190000-0x0000000003196000-memory.dmp

          Filesize

          24KB

        • memory/1200-3-0x0000000003190000-0x0000000003196000-memory.dmp

          Filesize

          24KB

        • memory/1200-27-0x00000000031B0000-0x00000000031B6000-memory.dmp

          Filesize

          24KB

        • memory/1200-15-0x00000000031B0000-0x00000000031B6000-memory.dmp

          Filesize

          24KB

        • memory/1200-1-0x0000000003190000-0x0000000003196000-memory.dmp

          Filesize

          24KB

        • memory/1316-26-0x0000000001F30000-0x0000000001F36000-memory.dmp

          Filesize

          24KB

        • memory/1316-18-0x0000000001F30000-0x0000000001F36000-memory.dmp

          Filesize

          24KB

        • memory/2260-25-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2716-23-0x0000000000210000-0x0000000000216000-memory.dmp

          Filesize

          24KB

        • memory/2716-4-0x0000000000120000-0x0000000000126000-memory.dmp

          Filesize

          24KB

        • memory/2716-31-0x0000000000210000-0x0000000000216000-memory.dmp

          Filesize

          24KB