tinba | af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe
Size

62KB
MD5

7bc905e9818fdc4db4aaf1f672d4ac6c
SHA1

efa7e31c68031bb6d9f7b67107567ef022f154ee
SHA256

af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0
SHA512

f3be7a2dd70a881e5c845e34221ecde8d130460a6634e776cd27e512ea3fb5604ebd3b5aa65a698fd07f07e89c2a894b84f656e0b304fe883ddb13b69cfafabe
SSDEEP

768:7BpZR8fRR1EOrsKrbcYXn9UdDp7Esezzvmw1dJxWxU5:7BPSJRBrsKrbc4WdDp76zLB0u

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\6813A4BF = "C:\\Users\\Admin\\AppData\\Roaming\\6813A4BF\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe
3064	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3064	winver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 1344 wrote to memory of 2148	1344	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	28
PID 2148 wrote to memory of 3064	2148	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	29
PID 2148 wrote to memory of 3064	2148	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	29
PID 2148 wrote to memory of 3064	2148	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	29
PID 2148 wrote to memory of 3064	2148	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	29
PID 2148 wrote to memory of 3064	2148	af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe	29
PID 3064 wrote to memory of 1080	3064	winver.exe	18
PID 3064 wrote to memory of 1044	3064	winver.exe	17
PID 3064 wrote to memory of 1080	3064	winver.exe	18
PID 3064 wrote to memory of 1088	3064	winver.exe	19
PID 3064 wrote to memory of 1176	3064	winver.exe	23

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe
  "C:\Users\Admin\AppData\Local\Temp\af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe
    "C:\Users\Admin\AppData\Local\Temp\af94321f5c88e3b76a7f2daaa55c268a5262130542efcb540f1bc24e0c31f5f0.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\winver.exe
      winver
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-23-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

Filesize
4KB

Download
memory/1044-15-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1044-22-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1080-4-0x0000000002560000-0x0000000002566000-memory.dmp

Filesize
24KB

Download
memory/1080-32-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/1080-10-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

Filesize
4KB

Download
memory/1080-8-0x0000000002560000-0x0000000002566000-memory.dmp

Filesize
24KB

Download
memory/1080-5-0x0000000002560000-0x0000000002566000-memory.dmp

Filesize
24KB

Download
memory/1080-18-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/1088-30-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/1088-21-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/1176-26-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/1176-33-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/1176-31-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

Filesize
4KB

Download
memory/2148-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3064-29-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/3064-11-0x0000000077C90000-0x0000000077E39000-memory.dmp

Filesize
1.7MB

Download
memory/3064-9-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/3064-6-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/3064-3-0x0000000000B01000-0x0000000000B02000-memory.dmp

Filesize
4KB

Download
memory/3064-34-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3064-40-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download