Analysis

  • max time kernel
    7s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2023 21:55

General

  • Target

    NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe

  • Size

    45KB

  • MD5

    74f0bdb3e02972bc39ef7b2899c19550

  • SHA1

    68e2652d9e3deb0a649879172abd4b9a65e61fae

  • SHA256

    da8ad29f0274e7a7e3c3369d5be1e05b784d8e755b47bd542f1e3a3952d91a73

  • SHA512

    08b6ae343f248240f87a41e44702e39096478d587a1db0b4e8f66ffc84427b724728f3e23b5e29518092895e46a27a3304ca30a1082a66f9ddc0b25ea4d2f0ac

  • SSDEEP

    768:chP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:QsWE9N5dFu53dsniQaB/xZ14n7zIF+qr

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3228
      • C:\Users\Admin\AppData\Local\Temp\NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\SysWOW64\winver.exe
          winver
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4796
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2440
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2404-15-0x00000000005F0000-0x00000000005F6000-memory.dmp

          Filesize

          24KB

        • memory/2440-13-0x0000000000560000-0x0000000000566000-memory.dmp

          Filesize

          24KB

        • memory/2440-19-0x0000000000560000-0x0000000000566000-memory.dmp

          Filesize

          24KB

        • memory/2740-17-0x0000000000B80000-0x0000000000B86000-memory.dmp

          Filesize

          24KB

        • memory/3228-2-0x0000000001480000-0x0000000001486000-memory.dmp

          Filesize

          24KB

        • memory/3228-3-0x0000000001480000-0x0000000001486000-memory.dmp

          Filesize

          24KB

        • memory/3228-16-0x0000000003380000-0x0000000003386000-memory.dmp

          Filesize

          24KB

        • memory/3228-6-0x00007FFE514CD000-0x00007FFE514CE000-memory.dmp

          Filesize

          4KB

        • memory/3404-18-0x00000000006F0000-0x00000000006F6000-memory.dmp

          Filesize

          24KB

        • memory/4452-4-0x0000000002250000-0x0000000002C50000-memory.dmp

          Filesize

          10.0MB

        • memory/4452-9-0x0000000002250000-0x0000000002C50000-memory.dmp

          Filesize

          10.0MB

        • memory/4452-8-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/4452-0-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/4452-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

          Filesize

          4KB

        • memory/4796-7-0x0000000000930000-0x0000000000936000-memory.dmp

          Filesize

          24KB

        • memory/4796-5-0x0000000077772000-0x0000000077773000-memory.dmp

          Filesize

          4KB