Analysis

  • max time kernel
    12s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 10:44

General

  • Target

    NEAS.b629945c89457faa408981dcdd008f40.exe

  • Size

    113KB

  • MD5

    b629945c89457faa408981dcdd008f40

  • SHA1

    665111f8903c947ecc23f96af998473ff17ddcfc

  • SHA256

    05a8f963d6f5d95515eebc21af34608ccc5ae92528b9bcb3ee5e25a0497a4d40

  • SHA512

    b92cba64c6392bf47ec3a19415f5f4ef1ce2ae1cc2b38d1650bfd8d58affe6005e13cb457814aa6998d93f9f54c15d46c68b2a1beadf1934eb6cdf6649175ecc

  • SSDEEP

    1536:QiLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:QiyvRmDLs/ZrwWjjAqGcfzWH

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3324
      • C:\Users\Admin\AppData\Local\Temp\NEAS.b629945c89457faa408981dcdd008f40.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.b629945c89457faa408981dcdd008f40.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\SysWOW64\winver.exe
          winver
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:5064
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2564
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2280-8-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2280-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

          Filesize

          4KB

        • memory/2280-9-0x0000000002320000-0x0000000002D20000-memory.dmp

          Filesize

          10.0MB

        • memory/2280-0-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2280-4-0x0000000002320000-0x0000000002D20000-memory.dmp

          Filesize

          10.0MB

        • memory/2504-15-0x0000000000770000-0x0000000000776000-memory.dmp

          Filesize

          24KB

        • memory/2564-13-0x0000000000C50000-0x0000000000C56000-memory.dmp

          Filesize

          24KB

        • memory/2832-14-0x0000000000940000-0x0000000000946000-memory.dmp

          Filesize

          24KB

        • memory/3324-6-0x00007FFA5E72D000-0x00007FFA5E72E000-memory.dmp

          Filesize

          4KB

        • memory/3324-3-0x0000000000A70000-0x0000000000A76000-memory.dmp

          Filesize

          24KB

        • memory/3324-2-0x0000000000A70000-0x0000000000A76000-memory.dmp

          Filesize

          24KB

        • memory/3324-16-0x0000000000A40000-0x0000000000A46000-memory.dmp

          Filesize

          24KB

        • memory/3496-19-0x0000000000630000-0x0000000000636000-memory.dmp

          Filesize

          24KB

        • memory/3688-21-0x0000000000A40000-0x0000000000A46000-memory.dmp

          Filesize

          24KB

        • memory/5064-5-0x0000000077A92000-0x0000000077A93000-memory.dmp

          Filesize

          4KB

        • memory/5064-7-0x0000000002D40000-0x0000000002D46000-memory.dmp

          Filesize

          24KB