Analysis

  • max time kernel
    111s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 01:34

General

  • Target

    1a9e0b3100d2edb25eb35a62a152991cf4aa51a2ae757a80dbbffb40d959017fN.exe

  • Size

    52KB

  • MD5

    bce2068f5ce67d10a6f6404597437500

  • SHA1

    78de9a6ec8b5750a082e7e81d268712f3ea0c3ab

  • SHA256

    1a9e0b3100d2edb25eb35a62a152991cf4aa51a2ae757a80dbbffb40d959017f

  • SHA512

    10f6c355d27d42eba72eca3da23f6dccfa4b7cd5af6edce79a091176a2c0dbd76b1662463fc9aab3343c77cd05e51786387c976449abafc66c93ff7b4a1946ef

  • SSDEEP

    768:PvC6RMtZNZUXeb4fXDR2JVDDISp8m7DM3pIg4LqTTUUnGg7O1/l9Jq/:TmZNZUXeQXFhS6sM3prUSGg7O1d9Ja

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Tinba family
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2396
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\1a9e0b3100d2edb25eb35a62a152991cf4aa51a2ae757a80dbbffb40d959017fN.exe
        "C:\Users\Admin\AppData\Local\Temp\1a9e0b3100d2edb25eb35a62a152991cf4aa51a2ae757a80dbbffb40d959017fN.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\winver.exe
          winver
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4276
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 352
            4⤵
            • Program crash
            PID:2924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
      1⤵
        PID:4664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1628-0-0x00000000005C0000-0x00000000005C1000-memory.dmp

        Filesize

        4KB

      • memory/1628-1-0x00000000021F0000-0x0000000002BF0000-memory.dmp

        Filesize

        10.0MB

      • memory/1628-7-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

      • memory/1628-8-0x00000000021F0000-0x0000000002BF0000-memory.dmp

        Filesize

        10.0MB

      • memory/2396-12-0x0000000000B80000-0x0000000000B86000-memory.dmp

        Filesize

        24KB

      • memory/2396-15-0x0000000000B80000-0x0000000000B86000-memory.dmp

        Filesize

        24KB

      • memory/3516-6-0x00007FFB8630D000-0x00007FFB8630E000-memory.dmp

        Filesize

        4KB

      • memory/3516-4-0x00000000007A0000-0x00000000007A6000-memory.dmp

        Filesize

        24KB

      • memory/4276-2-0x0000000002730000-0x0000000002736000-memory.dmp

        Filesize

        24KB

      • memory/4276-5-0x0000000077282000-0x0000000077283000-memory.dmp

        Filesize

        4KB

      • memory/4276-10-0x0000000002730000-0x0000000002736000-memory.dmp

        Filesize

        24KB

      • memory/4276-13-0x0000000002730000-0x0000000002736000-memory.dmp

        Filesize

        24KB