tinba | a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940

Analysis

max time kernel
108s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe
Size

168KB
MD5

354b0acf19b469bf28fb6ed0d67943a4
SHA1

342c4c422fe7105b0881b56f98b3d5c11d716009
SHA256

a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940
SHA512

a37747a97ac8b015452b7e0e328854b43e1767116b344848705f1f60a67c1d8ab92b887836b74f814e81eb50ddc91b5c4777ac4b871dda79eb7d1b4a1c184ed3
SSDEEP

3072:R+//K1KJAR6KtqDSB8NojBOryOIy4IwiyO+//K1KJR3lW:GKkmVtqWB8NojgrvIy4RiypKkflW

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D2DEF122 = "C:\\Users\\Admin\\AppData\\Roaming\\D2DEF122\\bin.exe"	winver.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3460	3164	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	winver.exe
3164	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	Explorer.EXE
Token: SeCreatePagefilePrivilege	3420	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3164	winver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3164	3080	a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe	82
PID 3080 wrote to memory of 3164	3080	a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe	82
PID 3080 wrote to memory of 3164	3080	a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe	82
PID 3080 wrote to memory of 3164	3080	a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe	82
PID 3164 wrote to memory of 3420	3164	winver.exe	56
PID 3164 wrote to memory of 2500	3164	winver.exe	42

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420
- C:\Users\Admin\AppData\Local\Temp\a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe
  "C:\Users\Admin\AppData\Local\Temp\a53ec090d41e2ce3181401cbf815302c07848f7cda7ed4a31eb64ce159137940.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 356
      4⤵
      Program crash
      PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3164 -ip 3164
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2500-12-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/3080-0-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/3080-3-0x0000000002480000-0x0000000002E80000-memory.dmp

Filesize
10.0MB

Download
memory/3080-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-8-0x0000000002480000-0x0000000002E80000-memory.dmp

Filesize
10.0MB

Download
memory/3164-4-0x00000000779A2000-0x00000000779A3000-memory.dmp

Filesize
4KB

Download
memory/3164-6-0x00007FF8382B0000-0x00007FF8384A5000-memory.dmp

Filesize
2.0MB

Download
memory/3164-10-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/3164-13-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/3420-2-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/3420-1-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/3420-5-0x00007FF83834D000-0x00007FF83834E000-memory.dmp

Filesize
4KB

Download