Analysis

  • max time kernel
    7s
  • max time network
    14s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 19:52

General

  • Target

    NEAS.39320d58fc8d98a54fc6b5472a587440.exe

  • Size

    88KB

  • MD5

    39320d58fc8d98a54fc6b5472a587440

  • SHA1

    63353b4e546c1ab11358c8f136301cd63055d931

  • SHA256

    f80075d8bf83331c84a6a47c8ac9418f5d80d5e683ed704b0e9dc2f6c4325723

  • SHA512

    95645bbb3bd2c825cfe7d7544ad456911527bbe7b576ad3740bfa47317ac4ecddfdaa452bdb9d7c1e3ada60e542a9c3bd6a3bc56505c865408446b0ce081bd50

  • SSDEEP

    1536:85nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:85fvp12UFKcD/6jwqWsN

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2360
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:2344
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:3316
          • C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe
            "C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4700
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2360-12-0x00000000000B0000-0x00000000000B6000-memory.dmp

          Filesize

          24KB

        • memory/2468-14-0x00000000007D0000-0x00000000007D6000-memory.dmp

          Filesize

          24KB

        • memory/3020-6-0x0000000001350000-0x0000000001356000-memory.dmp

          Filesize

          24KB

        • memory/3020-4-0x0000000077632000-0x0000000077633000-memory.dmp

          Filesize

          4KB

        • memory/3316-5-0x00007FF890FCD000-0x00007FF890FCE000-memory.dmp

          Filesize

          4KB

        • memory/3316-2-0x0000000000B00000-0x0000000000B06000-memory.dmp

          Filesize

          24KB

        • memory/3316-16-0x0000000000B40000-0x0000000000B46000-memory.dmp

          Filesize

          24KB

        • memory/3316-1-0x0000000000B00000-0x0000000000B06000-memory.dmp

          Filesize

          24KB

        • memory/3316-18-0x0000000000B40000-0x0000000000B46000-memory.dmp

          Filesize

          24KB

        • memory/3520-17-0x0000000000440000-0x0000000000446000-memory.dmp

          Filesize

          24KB

        • memory/4700-3-0x00000000021D0000-0x0000000002BD0000-memory.dmp

          Filesize

          10.0MB

        • memory/4700-0-0x00000000005C0000-0x00000000005C1000-memory.dmp

          Filesize

          4KB

        • memory/4700-7-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/4700-8-0x00000000021D0000-0x0000000002BD0000-memory.dmp

          Filesize

          10.0MB