Analysis

  • max time kernel
    8s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2023 14:40

General

  • Target

    NEAS.9be510542391dfd892992c927d2a1120_JC.exe

  • Size

    88KB

  • MD5

    9be510542391dfd892992c927d2a1120

  • SHA1

    17d4ce157ab06b0aeec5590a23bf08f0b17ff064

  • SHA256

    581e2d741412469c87ebcfbfb60f65892fd824b95f976a9ee6a628d66e46ee59

  • SHA512

    8791dd9f38e1aa22b4c6677e319985b610a23e625137649092404b0742d76b949e7fe09950b2bf7f7cb7e71e2d2d5af9e3a27210496f68025448e0f02aa66d93

  • SSDEEP

    1536:S5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:S5fvp12UFKcD/6jwqWsN

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\NEAS.9be510542391dfd892992c927d2a1120_JC.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.9be510542391dfd892992c927d2a1120_JC.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\SysWOW64\winver.exe
          winver
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:920
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2660
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
        1⤵
          PID:2480
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2448

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/920-10-0x00000000012E0000-0x00000000012E6000-memory.dmp

            Filesize

            24KB

          • memory/920-3-0x00000000012E0000-0x00000000012E6000-memory.dmp

            Filesize

            24KB

          • memory/920-5-0x0000000077D32000-0x0000000077D33000-memory.dmp

            Filesize

            4KB

          • memory/2448-14-0x00000000006F0000-0x00000000006F6000-memory.dmp

            Filesize

            24KB

          • memory/2480-16-0x00000000004B0000-0x00000000004B6000-memory.dmp

            Filesize

            24KB

          • memory/2480-12-0x00000000004B0000-0x00000000004B6000-memory.dmp

            Filesize

            24KB

          • memory/2660-13-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

            Filesize

            24KB

          • memory/3356-15-0x0000000001240000-0x0000000001246000-memory.dmp

            Filesize

            24KB

          • memory/3356-6-0x00007FF97430D000-0x00007FF97430E000-memory.dmp

            Filesize

            4KB

          • memory/3356-4-0x00000000012A0000-0x00000000012A6000-memory.dmp

            Filesize

            24KB

          • memory/3356-2-0x00000000012A0000-0x00000000012A6000-memory.dmp

            Filesize

            24KB

          • memory/3356-18-0x0000000001240000-0x0000000001246000-memory.dmp

            Filesize

            24KB

          • memory/3492-17-0x0000000000030000-0x0000000000036000-memory.dmp

            Filesize

            24KB

          • memory/3608-8-0x0000000002190000-0x0000000002B90000-memory.dmp

            Filesize

            10.0MB

          • memory/3608-7-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

          • memory/3608-0-0x0000000002170000-0x0000000002171000-memory.dmp

            Filesize

            4KB

          • memory/3608-1-0x0000000002190000-0x0000000002B90000-memory.dmp

            Filesize

            10.0MB