tinba | cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89

General

Target

cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe
Size

110KB
MD5

9553004dea6cc4ca6ec9dc94c85b6200
SHA1

62c631c4782863ed0746a72de08db890a9667696
SHA256

cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89
SHA512

97b368296e4fbe6257e14566389f865938987ab0aa27db1eb1540808e21c5918e8c695acb72387bf8db60b08461bc34a0e2dff00df759521e942b30a72d3f717
SSDEEP

1536:ZiLOvRmmQegJfBbmAQ256/ZrwWnwqjhurmKFcxL8JQ2r0Eg:ZiyvRmDLs/ZrwWJjAqGcRJ2hg

Score

10^/10

tinba banker discovery persistence trojan upx

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\713894D0 = "C:\\Users\\Admin\\AppData\\Roaming\\713894D0\\bin.exe"	winver.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exewinver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

winver.exe

pid	process
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe
2336	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2336 winver.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exewinver.exe

description	pid	process	target process
PID 1968 wrote to memory of 2336	1968	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe	winver.exe
PID 1968 wrote to memory of 2336	1968	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe	winver.exe
PID 1968 wrote to memory of 2336	1968	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe	winver.exe
PID 1968 wrote to memory of 2336	1968	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe	winver.exe
PID 1968 wrote to memory of 2336	1968	cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe	winver.exe
PID 2336 wrote to memory of 1140	2336	winver.exe	Explorer.EXE
PID 2336 wrote to memory of 1060	2336	winver.exe	taskhost.exe
PID 2336 wrote to memory of 1092	2336	winver.exe	Dwm.exe
PID 2336 wrote to memory of 1140	2336	winver.exe	Explorer.EXE
PID 2336 wrote to memory of 760	2336	winver.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1060

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe
  "C:\Users\Admin\AppData\Local\Temp\cff378b9e74d6be946cdbd7aeca4528bc8775521e3cad6575bd02f886d1beb89N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-34-0x0000000077A61000-0x0000000077A62000-memory.dmp

Filesize
4KB

Download
memory/760-25-0x0000000001F50000-0x0000000001F56000-memory.dmp

Filesize
24KB

Download
memory/760-33-0x0000000001F50000-0x0000000001F56000-memory.dmp

Filesize
24KB

Download
memory/1060-29-0x0000000001F10000-0x0000000001F16000-memory.dmp

Filesize
24KB

Download
memory/1060-28-0x0000000077A61000-0x0000000077A62000-memory.dmp

Filesize
4KB

Download
memory/1060-31-0x0000000077A61000-0x0000000077A62000-memory.dmp

Filesize
4KB

Download
memory/1060-38-0x0000000001F10000-0x0000000001F16000-memory.dmp

Filesize
24KB

Download
memory/1092-26-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1092-27-0x0000000077A61000-0x0000000077A62000-memory.dmp

Filesize
4KB

Download
memory/1092-20-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1140-2-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1140-10-0x0000000077A61000-0x0000000077A62000-memory.dmp

Filesize
4KB

Download
memory/1140-32-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1140-4-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1140-3-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1140-22-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1968-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-13-0x0000000001D90000-0x0000000002790000-memory.dmp

Filesize
10.0MB

Download
memory/1968-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-5-0x0000000001D90000-0x0000000002790000-memory.dmp

Filesize
10.0MB

Download
memory/1968-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2336-11-0x0000000077A10000-0x0000000077BB9000-memory.dmp

Filesize
1.7MB

Download
memory/2336-8-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/2336-30-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/2336-9-0x0000000077C0F000-0x0000000077C11000-memory.dmp

Filesize
8KB

Download
memory/2336-7-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2336-6-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads