Analysis Overview
SHA256
9adb63a85b887a2746fc8675947800cc4ee11ea220284d659e700bb2625d6c58
Threat Level: Known bad
The file NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-28 20:19
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-28 20:19
Reported
2023-10-29 01:48
Platform
win7-20231020-en
Max time kernel
163s
Max time network
202s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\49D525F6 = "C:\\Users\\Admin\\AppData\\Roaming\\49D525F6\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
Files
memory/2780-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2780-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2780-3-0x0000000001BB0000-0x00000000025B0000-memory.dmp
memory/2688-5-0x0000000000180000-0x0000000000186000-memory.dmp
memory/1304-4-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/1304-2-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/1304-7-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/2688-9-0x0000000077700000-0x0000000077701000-memory.dmp
memory/1304-10-0x0000000077551000-0x0000000077552000-memory.dmp
memory/2688-8-0x00000000776FF000-0x0000000077701000-memory.dmp
memory/2688-6-0x00000000776FF000-0x0000000077700000-memory.dmp
memory/2688-11-0x0000000000BA0000-0x0000000000BB6000-memory.dmp
memory/2780-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2780-13-0x0000000001BB0000-0x00000000025B0000-memory.dmp
memory/2688-15-0x0000000000180000-0x0000000000186000-memory.dmp
memory/2688-16-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1156-21-0x0000000001CA0000-0x0000000001CA6000-memory.dmp
memory/1156-23-0x0000000077551000-0x0000000077552000-memory.dmp
memory/1240-20-0x0000000001BB0000-0x0000000001BB6000-memory.dmp
memory/1304-24-0x0000000002AA0000-0x0000000002AA6000-memory.dmp
memory/1240-25-0x0000000001BB0000-0x0000000001BB6000-memory.dmp
memory/1304-26-0x0000000002AA0000-0x0000000002AA6000-memory.dmp
memory/1304-27-0x00000000776E0000-0x00000000776E1000-memory.dmp
memory/2688-31-0x00000000001D0000-0x00000000001D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-28 20:19
Reported
2023-10-29 01:45
Platform
win10v2004-20231023-en
Max time kernel
163s
Max time network
183s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73A599E0 = "C:\\Users\\Admin\\AppData\\Roaming\\73A599E0\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3752 -s 940
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | uyhgqunqkxnx.pw | udp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| NL | 192.42.116.41:80 | uyhgqunqkxnx.pw | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vcklmnnejwxx.pw | udp |
| US | 216.218.185.162:80 | vcklmnnejwxx.pw | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/4236-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4236-1-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4236-2-0x0000000002160000-0x0000000002161000-memory.dmp
memory/4236-3-0x0000000002340000-0x0000000002D40000-memory.dmp
memory/2788-4-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/2788-7-0x0000000077032000-0x0000000077033000-memory.dmp
memory/3380-6-0x0000000001550000-0x0000000001556000-memory.dmp
memory/3380-8-0x00007FF8B8D4D000-0x00007FF8B8D4E000-memory.dmp
memory/4236-9-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4236-11-0x0000000002340000-0x0000000002D40000-memory.dmp
memory/2788-13-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/2360-15-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2360-19-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3380-21-0x00000000033F0000-0x00000000033F6000-memory.dmp
memory/2468-23-0x00000000002D0000-0x00000000002D6000-memory.dmp
memory/3752-22-0x0000000000E70000-0x0000000000E76000-memory.dmp
memory/3876-24-0x0000000000CF0000-0x0000000000CF6000-memory.dmp
memory/3544-20-0x0000000000F80000-0x0000000000F86000-memory.dmp
memory/3380-18-0x00000000033F0000-0x00000000033F6000-memory.dmp
memory/2336-17-0x0000000000AF0000-0x0000000000AF6000-memory.dmp
memory/2468-16-0x00000000002D0000-0x00000000002D6000-memory.dmp
memory/3544-25-0x0000000000F80000-0x0000000000F86000-memory.dmp
memory/3940-26-0x0000000000BF0000-0x0000000000BF6000-memory.dmp
memory/3876-27-0x0000000000CF0000-0x0000000000CF6000-memory.dmp
memory/3940-28-0x0000000000BF0000-0x0000000000BF6000-memory.dmp
memory/3860-30-0x0000000000860000-0x0000000000866000-memory.dmp
memory/4036-29-0x00000000001A0000-0x00000000001A6000-memory.dmp
memory/3608-33-0x0000000000120000-0x0000000000126000-memory.dmp
memory/3860-32-0x0000000000860000-0x0000000000866000-memory.dmp
memory/3168-31-0x0000000000FD0000-0x0000000000FD6000-memory.dmp
memory/3168-34-0x0000000000FD0000-0x0000000000FD6000-memory.dmp
memory/3608-35-0x0000000000120000-0x0000000000126000-memory.dmp
memory/3672-36-0x00000000009A0000-0x00000000009A6000-memory.dmp
memory/2136-37-0x0000000000960000-0x0000000000966000-memory.dmp
memory/1276-38-0x00000000000D0000-0x00000000000D6000-memory.dmp
memory/3540-39-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/1276-40-0x00000000000D0000-0x00000000000D6000-memory.dmp
memory/3540-41-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/3380-42-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp
memory/3828-43-0x0000000000740000-0x0000000000746000-memory.dmp
memory/3828-44-0x0000000000740000-0x0000000000746000-memory.dmp
memory/3828-57-0x00007FF8B8EC0000-0x00007FF8B8EC1000-memory.dmp
memory/3828-60-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp
memory/3540-67-0x00007FF8B8EC0000-0x00007FF8B8EC1000-memory.dmp
memory/3540-68-0x00007FF8B8EE0000-0x00007FF8B8EE1000-memory.dmp
memory/3540-69-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp
memory/884-70-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/884-71-0x00007FF8B8D4D000-0x00007FF8B8D4E000-memory.dmp
memory/884-72-0x00007FF8B8D4D000-0x00007FF8B8D4E000-memory.dmp
memory/3876-73-0x00007FF8B8EC0000-0x00007FF8B8EC1000-memory.dmp
memory/884-74-0x00007FF8B8EE0000-0x00007FF8B8EE1000-memory.dmp
memory/3380-80-0x00007FF8B8EE0000-0x00007FF8B8EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\a863bd3d5bc94564b860a08831d54e5d_1
| MD5 | 59dbfe73a4611f9ba0cfa63af6fcc171 |
| SHA1 | a95543b78e584e4dc8d34411181b03bc6d628a37 |
| SHA256 | e1291ee6b1583642a344a4a880377b68140443b3fced2f0112c15d907883b009 |
| SHA512 | 76c97e646826e438e6b723d86ca2f56056163dfd90e64081a37ef499e330ec76d3f2e7ceb2c6912f9d5020d25d37e6cc08d96fb72e38af9a421694d1025d4868 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 3c7507d881368edc49e71f7edc63a5ca |
| SHA1 | 107c244541ced2c5fae7d29cf84111f20315af04 |
| SHA256 | e91a55567e7ad58aa5b26c16a3bfa82b549a36d68cb73e68367abdcdd8fd6bb7 |
| SHA512 | 60544bae25278c34681c90cdbae4aafa2f695fb57697e84134e98e0106287eea804d012cf7eb829e3658c28094eaa3a892375cc3d88bcda3c0c174ef5313d10e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | e8890f846abcb5ee3c4da468e90416ec |
| SHA1 | 58e2b833908914366eea5f15fb5abd5c5b3d506b |
| SHA256 | e5c075bfbc2af2010ca87fa3ccfdc82ae4bf1e50339ce9d5abd188413972d5e1 |
| SHA512 | 81dbe6fe58097c7abb43c6d8f9050314d3ec6a77b0c3c507acb8cf1a5a170a762a05014222032af45c8dc3fae7ab509abe6a75dd6f1f075ed91a3e42409f0819 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\7df7dcf9ef7646769b4e060ca2bf74c5_1
| MD5 | 88adfbee8d4da2ae1e76aa45b317c6f5 |
| SHA1 | 64aff6b4f2ed8d64ae91d49952164f7673510c27 |
| SHA256 | 0a4971d42e6a2e167c07c76ea983df10189bd6de47b0fb24530d47974de5e569 |
| SHA512 | d1cd76ca8f4b154b432aee497e971e9b2be83e0ec9974f5e215ed0c68be6273ec3768ded6cc09bc33559cfbf3a91f533af9cb41231a6ef105c3d4d073e41ae9e |
memory/884-102-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | d144c76aea7a274f0b4385afb258b02a |
| SHA1 | 7caca7bac05664446c2e772ec7005f48696353d1 |
| SHA256 | 903bb06dfcf737901fb639f2a8db789ac5db1a8e5491ee3b44fd425d47b0b4ae |
| SHA512 | 9fc62ee7162ca95092effb4df31b13735af56911415caff87b08916a2dffd9ddb6f08d3c35dae9a9de0416c69d1471774a057fcc519f9db52d229e418dd35098 |
memory/884-113-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/3940-114-0x00007FF8B8EC0000-0x00007FF8B8EC1000-memory.dmp
memory/3940-115-0x00007FF8B8EE0000-0x00007FF8B8EE1000-memory.dmp
memory/3940-116-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\a863bd3d5bc94564b860a08831d54e5d_1
| MD5 | 59dbfe73a4611f9ba0cfa63af6fcc171 |
| SHA1 | a95543b78e584e4dc8d34411181b03bc6d628a37 |
| SHA256 | e1291ee6b1583642a344a4a880377b68140443b3fced2f0112c15d907883b009 |
| SHA512 | 76c97e646826e438e6b723d86ca2f56056163dfd90e64081a37ef499e330ec76d3f2e7ceb2c6912f9d5020d25d37e6cc08d96fb72e38af9a421694d1025d4868 |
memory/3876-119-0x00007FF8B8ED0000-0x00007FF8B8ED1000-memory.dmp