tinba | 2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-02-2025 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe
Size

225KB
MD5

cb4ff02eabebb0efb72861f2f6054e17
SHA1

efbe406f961e2af6bff04d43b4229fd12a55076a
SHA256

2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6
SHA512

6472b9059f7a2217f48a7e01e635ec5a7bca6f124b9371cc92f2b83aecfa93d14a67ba74742100af357fd9649b1e83a72b369afd36dbdd48e7f7e832920082fd
SSDEEP

6144:nA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:nATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\99393128 = "C:\\Users\\Admin\\AppData\\Roaming\\99393128\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe
2880	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	winver.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2880	2380	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe	29
PID 2380 wrote to memory of 2880	2380	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe	29
PID 2380 wrote to memory of 2880	2380	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe	29
PID 2380 wrote to memory of 2880	2380	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe	29
PID 2380 wrote to memory of 2880	2380	2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe	29
PID 2880 wrote to memory of 1360	2880	winver.exe	20
PID 2880 wrote to memory of 1232	2880	winver.exe	18
PID 2880 wrote to memory of 1320	2880	winver.exe	19
PID 2880 wrote to memory of 1360	2880	winver.exe	20
PID 2880 wrote to memory of 928	2880	winver.exe	22
PID 2880 wrote to memory of 2380	2880	winver.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe
  "C:\Users\Admin\AppData\Local\Temp\2d25e91e18897c9d8f146aa6036228a4e4b25f02fdc89017bed5d8d9852693f6.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-19-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/928-28-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1232-10-0x0000000001B40000-0x0000000001B46000-memory.dmp

Filesize
24KB

Download
memory/1232-26-0x0000000001B40000-0x0000000001B46000-memory.dmp

Filesize
24KB

Download
memory/1320-13-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/1320-27-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/1360-6-0x0000000001DB0000-0x0000000001DB6000-memory.dmp

Filesize
24KB

Download
memory/1360-3-0x0000000001DB0000-0x0000000001DB6000-memory.dmp

Filesize
24KB

Download
memory/1360-16-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/1360-1-0x0000000001DB0000-0x0000000001DB6000-memory.dmp

Filesize
24KB

Download
memory/1360-29-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/2380-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-24-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2880-4-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2880-31-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download