Analysis

  • max time kernel
    8s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2023 20:38

General

  • Target

    NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe

  • Size

    49KB

  • MD5

    58b676aff7e20b6ac7be762ade641020

  • SHA1

    7b6862b3cd4a3837e97bbef4d81a367363ae190e

  • SHA256

    77f97efe1a861cd368ad54d18a79a6d5cb0298496b9c777eef538367c414d390

  • SHA512

    e6a0f8a1b8213e22c370d7bccef0bf4fd5c2245eb374e8422ef84fbcb9736ddf3af5138007713effaae5313a91f7b92af82ebe68f933bf6e4cc1a75d2af182ef

  • SSDEEP

    1536:uOBLXNqgzf2v6b6NkXklZlogHGe9eBXW:uYLduv6OqXIlogmjW

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3144
      • C:\Users\Admin\AppData\Local\Temp\NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\SysWOW64\winver.exe
          winver
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2820
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2332
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2312

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2332-13-0x0000000000270000-0x0000000000276000-memory.dmp

          Filesize

          24KB

        • memory/2820-6-0x00000000777E2000-0x00000000777E3000-memory.dmp

          Filesize

          4KB

        • memory/2820-11-0x0000000001EF0000-0x0000000001EF6000-memory.dmp

          Filesize

          24KB

        • memory/2820-4-0x0000000001EF0000-0x0000000001EF6000-memory.dmp

          Filesize

          24KB

        • memory/3144-5-0x0000000002370000-0x0000000002376000-memory.dmp

          Filesize

          24KB

        • memory/3144-7-0x00007FFF84AED000-0x00007FFF84AEE000-memory.dmp

          Filesize

          4KB

        • memory/3144-3-0x0000000002370000-0x0000000002376000-memory.dmp

          Filesize

          24KB

        • memory/3144-16-0x00000000023B0000-0x00000000023B6000-memory.dmp

          Filesize

          24KB

        • memory/3444-19-0x00000000002F0000-0x00000000002F6000-memory.dmp

          Filesize

          24KB

        • memory/4164-0-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/4164-8-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/4164-9-0x0000000002330000-0x0000000002D30000-memory.dmp

          Filesize

          10.0MB

        • memory/4164-2-0x0000000002330000-0x0000000002D30000-memory.dmp

          Filesize

          10.0MB

        • memory/4164-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

          Filesize

          4KB