Analysis Overview
SHA256
a9ff6094d450c265a3d3cc5e31f03209650a57edd809636300ea482a31652987
Threat Level: Known bad
The file NEAS.accc17f3d435ca7f42ef85350778ef10.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 08:57
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 08:57
Reported
2023-10-31 11:25
Platform
win10v2004-20231023-en
Max time kernel
168s
Max time network
188s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D669E8BA = "C:\\Users\\Admin\\AppData\\Roaming\\D669E8BA\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3652 -s 976
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3684 -s 748
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4936 -s 680
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3504 -s 964
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1432 -s 840
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1768 -s 784
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 680
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 408 -s 476
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3916-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3916-1-0x0000000002160000-0x0000000002161000-memory.dmp
memory/3916-2-0x0000000002250000-0x0000000002C50000-memory.dmp
memory/3232-3-0x0000000000B00000-0x0000000000B06000-memory.dmp
memory/3232-5-0x0000000000B00000-0x0000000000B06000-memory.dmp
memory/3764-4-0x00000000013A0000-0x00000000013A6000-memory.dmp
memory/3232-6-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp
memory/3764-7-0x0000000077172000-0x0000000077173000-memory.dmp
memory/3916-8-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3916-10-0x0000000002250000-0x0000000002C50000-memory.dmp
memory/3764-12-0x00000000013A0000-0x00000000013A6000-memory.dmp
memory/2352-14-0x0000000000BA0000-0x0000000000BA6000-memory.dmp
memory/2336-15-0x0000000000EA0000-0x0000000000EA6000-memory.dmp
memory/2352-19-0x0000000000BA0000-0x0000000000BA6000-memory.dmp
memory/3232-18-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/2352-17-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp
memory/2484-16-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2484-21-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3436-20-0x0000000000110000-0x0000000000116000-memory.dmp
memory/3436-25-0x0000000000110000-0x0000000000116000-memory.dmp
memory/3928-26-0x00000000008E0000-0x00000000008E6000-memory.dmp
memory/3868-24-0x0000000000350000-0x0000000000356000-memory.dmp
memory/3652-23-0x0000000000390000-0x0000000000396000-memory.dmp
memory/3232-22-0x0000000002A90000-0x0000000002A96000-memory.dmp
memory/3868-27-0x0000000000350000-0x0000000000356000-memory.dmp
memory/3928-28-0x00000000008E0000-0x00000000008E6000-memory.dmp
memory/4020-29-0x0000000000810000-0x0000000000816000-memory.dmp
memory/2116-30-0x0000000000CA0000-0x0000000000CA6000-memory.dmp
memory/5048-31-0x0000000000520000-0x0000000000526000-memory.dmp
memory/5048-34-0x0000000000520000-0x0000000000526000-memory.dmp
memory/4184-33-0x0000000000E70000-0x0000000000E76000-memory.dmp
memory/2116-32-0x0000000000CA0000-0x0000000000CA6000-memory.dmp
memory/4184-35-0x0000000000E70000-0x0000000000E76000-memory.dmp
memory/1300-36-0x0000000000810000-0x0000000000816000-memory.dmp
memory/3772-37-0x0000000000580000-0x0000000000586000-memory.dmp
memory/4960-38-0x0000000000A80000-0x0000000000A86000-memory.dmp
memory/1528-39-0x0000000000F20000-0x0000000000F26000-memory.dmp
memory/4960-40-0x0000000000A80000-0x0000000000A86000-memory.dmp
memory/1528-41-0x0000000000F20000-0x0000000000F26000-memory.dmp
memory/4384-42-0x0000000000830000-0x0000000000836000-memory.dmp
memory/4384-43-0x0000000000830000-0x0000000000836000-memory.dmp
memory/3232-56-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
memory/4384-58-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/4384-63-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
memory/1528-70-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/1528-71-0x00007FF81F520000-0x00007FF81F521000-memory.dmp
memory/4976-72-0x0000000000930000-0x0000000000936000-memory.dmp
memory/4976-73-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp
memory/4976-74-0x00007FF81F520000-0x00007FF81F521000-memory.dmp
memory/1528-75-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
memory/3704-77-0x0000000000540000-0x0000000000546000-memory.dmp
memory/3684-78-0x0000000000B00000-0x0000000000B06000-memory.dmp
memory/3684-79-0x000001F6C8DA0000-0x000001F6C8DA8000-memory.dmp
memory/3684-81-0x000001F6C8F70000-0x000001F6C8F78000-memory.dmp
memory/3684-82-0x000001F6C8F60000-0x000001F6C8F61000-memory.dmp
memory/3684-84-0x000001F6C8DB0000-0x000001F6C8DB8000-memory.dmp
memory/3684-87-0x000001F6C8D70000-0x000001F6C8D78000-memory.dmp
memory/3684-90-0x000001F6C8B20000-0x000001F6C8B21000-memory.dmp
memory/3868-91-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/5032-93-0x0000000000990000-0x0000000000996000-memory.dmp
memory/5032-94-0x0000000000990000-0x0000000000996000-memory.dmp
memory/4976-97-0x0000000000930000-0x0000000000936000-memory.dmp
memory/4936-98-0x00000000004D0000-0x00000000004D6000-memory.dmp
memory/3232-107-0x00007FF81F520000-0x00007FF81F521000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\35f06457b69946929ae5a8548ab9fbcd_1
| MD5 | 33125389b5dcfcf858c72e6eb444503d |
| SHA1 | f85b6d3132f635106f423d7b5fd9981a836447fc |
| SHA256 | dbaef75680d3a139331328c2ae3ba78ba4ec441488ae30009786bd23b05fa3db |
| SHA512 | c858ea4d5ce33230d16568f2b2e2d07b037b76d5e636841c8c781976024527064e83721b66492126bea81189b60bb4927728d035a23c133821aaad719b8446dd |
memory/1712-109-0x0000000000D70000-0x0000000000D76000-memory.dmp
memory/692-110-0x00000000008D0000-0x00000000008D6000-memory.dmp
memory/692-111-0x00000000008D0000-0x00000000008D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | c20599abab693db3162893bd1561c4df |
| SHA1 | 8f4e1d9786391f7bf4fd586184a37be1ff6b28a7 |
| SHA256 | 594f740205677469fedbaae4f8e0d87641cdf1da4c98c2ff346ccc378fe9e938 |
| SHA512 | 16b33f32bff97cbe427d643d9e2c5c78b48c8044b42d48a47c85fcacda305f4e2311b6c258978326888f8ad3159ca679bd02d7203799b983a61a4105c4b3b491 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1
| MD5 | 7d0fb75f151fa106c77afd2768e16742 |
| SHA1 | 483b915ad567d4257ee9aa58ace1214135f94fd1 |
| SHA256 | 0422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523 |
| SHA512 | 2a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1 |
memory/692-115-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/4976-116-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
memory/692-119-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | bdfb901af5dfecf734dd1d744225c647 |
| SHA1 | 90e0b83d02dbbc8d26102a3fb54989874b213af1 |
| SHA256 | b5eb2936f9d384868b0526baf079f12167d1d86e66b945c97f6d34921e0be8da |
| SHA512 | f2dd1dfdf9284c7ec57d06b26ddbde471d4c5d344ab3e71f1377fb387a40b73e648e78103805e71924b0aa6758ebdac31fe664f532f52b71f1184be038544f4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
| MD5 | ff594c2da440bf503c44e7e65be176b0 |
| SHA1 | 36ba4207aec5e8cee88bc1487c1e32ed09577d47 |
| SHA256 | 14d0490e23ea3413f9449426e3939fe35e9fb85b2a05ba72b67268b2eaa60fe8 |
| SHA512 | 48528d71c1981a452146c6f1aa971335df917a86cdcc6dfceee7913d0244cd7c1fce695dff5044cfb93deb87de5d0441a2ec17476217fef2951ac9a63bcdd91f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | aedb955135ac38369961ccd268d6bdc0 |
| SHA1 | 8d7e1f57a8b5a7293ac4b30ca7fdad041228cd64 |
| SHA256 | 8412b8a5ec46c3e12885cdde34affd2803aa59564e9a276335f46fd6690882a8 |
| SHA512 | 47d1efa6d3b1228255a22b29402e00396518f71e78b7d6225f9ad13eddcd52b6cdb249626994b94e1046f8b876acbe4661984c140d8edd680cab70dd1f746ca3 |
memory/1712-133-0x00000268EAEE0000-0x00000268EAEE8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | fa14f5919d13b6f76c0424e8fa2a7ac0 |
| SHA1 | 7caf8bc3e02284196666b2223023d52e1464cd97 |
| SHA256 | 844c93007a2e5f8251b3a2faab46614c9c17b801fa6416d014f141e50be3a11f |
| SHA512 | a977fc83acc674ef8dccd10b29c3245ed165d04f37e21266b7f2f90f2fa1557e2c2fd71dd44e728260c871f877b2f90760fe25abf843f72d6fd7e260addfc949 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 567115061138eaa628c6920003f2f4c2 |
| SHA1 | e283fa5ec5ccbb36f6ad62edd66ba04fcbf883ba |
| SHA256 | 23b73a5501052dde5fef333011b42c474268094ced38c3265b3efb47fd195c1d |
| SHA512 | 84e54ec7f2c1cdf6de0ae96c61a6d37c4b25fccb80649e928f6dd317d8099d4e8ee388bbf1d36048dbeb907eb49345614435b5df49a6e5c7e7e3929bfe5326c2 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\d58b8929a7e94b2690769bcd4003b61d_1
| MD5 | 2b3c1f3e767f5f6a9537a90bc2b94469 |
| SHA1 | f81811cf6fa1721ac93103b311c80f970502e0dd |
| SHA256 | 604b514c20cab087e0f13bba78412434cdd99dd81654dc7ccd338f7b67360086 |
| SHA512 | e6c62a67187444ca2b89f4d9896b829f85b1929f2e5ba212ae4abfd4e7432094771e489e8667fde403a7f5c333ce0b9be15c542a5324a8192472b72c1ccb3a12 |
memory/4444-152-0x0000000000930000-0x0000000000936000-memory.dmp
memory/1944-153-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/1944-156-0x0000018508190000-0x0000018508198000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | 1bac617d3a778de867dd2a4009dcdeff |
| SHA1 | 3a4abb1192f42eeab1508522809a0283a72fe262 |
| SHA256 | be1030604f5e462bca2b58ae591fd682c4df0ba176189308fa09435a1b04d150 |
| SHA512 | 60538d286b140f17c53281640e069a534c8803e747b203beb2cc4e93f62d920937f7b9ad6bc1078c5d65ef8d92bba06a3eba45528d549b010db82bba405647e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 26615be593f31b0cdf62227e7a82f42c |
| SHA1 | 6a7b15c301d6cb9bdae3f684111c6124badbcb02 |
| SHA256 | 41a2023ddba6d1fb1ee6cd163f4f0c1cfbe7c12c880c09452b6fb49577f2d974 |
| SHA512 | b9078fd12bcaf920a25df75f1d3505c358fc9092e11b91c0089866c438dc45009640a4493971ac4a5933e00303eef1a5b277528649ce77d2c99f6a1bf0a6761d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | a00786b2f6a13d9a4259127d477b3394 |
| SHA1 | 953012f1201952b54d0cc08f2b7217d1f4c99cb8 |
| SHA256 | e5e8d8782a338cfa802305616f3eb98577540d9ab55349fe763ff4b172bae9eb |
| SHA512 | 855b7f857a06d6f0b407cd2e91f3d8815f2bc59be8d1db89c6c2bcd019dbfe5fa8c50fa7984e25c383479fdce90e4aea9154abe923dde91515c3195c79a72d3d |
memory/3928-170-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/3928-171-0x00007FF81F520000-0x00007FF81F521000-memory.dmp
memory/3928-172-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1
| MD5 | 7d0fb75f151fa106c77afd2768e16742 |
| SHA1 | 483b915ad567d4257ee9aa58ace1214135f94fd1 |
| SHA256 | 0422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523 |
| SHA512 | 2a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1 |
memory/3868-174-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441
| MD5 | d92d6f6e558feeba04ae607f32188797 |
| SHA1 | 4614886948c786fb11624565d286a0e335341258 |
| SHA256 | 92a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1 |
| SHA512 | eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441
| MD5 | e182d1ceeee02759bf30d0ab0471e5c5 |
| SHA1 | 5b85aff1f2da0bf1eb42ee442da570eb4ebdaed0 |
| SHA256 | d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508 |
| SHA512 | ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9 |
memory/2428-213-0x00000000007C0000-0x00000000007C6000-memory.dmp
memory/592-214-0x0000000000F90000-0x0000000000F96000-memory.dmp
memory/2428-217-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/2428-220-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698751441
| MD5 | 777209cdaa197c93b9e70f0e135ad685 |
| SHA1 | 9c86b9a6d558b0525f2225b500a445a85d28855f |
| SHA256 | 2f69e9030e463f6597a9132d409791991923be4417d03a38431f5664bc5fddb2 |
| SHA512 | afe14117aebc963339acf7c28b899d7cf6eaf481fe1c78bbe6e2890e7cfeba7bb754a93df2c597e578ea043bbf3685eb40d231446be32ab915ea95df2848b511 |
memory/2372-237-0x00000000007A0000-0x00000000007A6000-memory.dmp
memory/1996-238-0x0000000000BA0000-0x0000000000BA6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | db6420205e67a7e4cd909a3437f19fd5 |
| SHA1 | 4731b8e45630d4bd8695583b009b0244df605212 |
| SHA256 | a909e1e60243ef87832aa34086ff9d5d0ecc5092f3d6336127c1c5bea5ff302b |
| SHA512 | 91a01781c42d6468fd419659e69e3368ae67ff7be5c7df4fe48eaeb13431d4e2746c0010ce1a00130363c25bb68433f65797ccdfc353db73d7e7b9e9be65ddd8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 7f58b298af3db6f5aea3e30aa8173c70 |
| SHA1 | 9beb02a67b6a482bbc24499852106c0744e39c39 |
| SHA256 | 5022e027871d4732f128ccd7955c7bb302a5d63562bcdbe61136ace5902f90d9 |
| SHA512 | a9bb56533f508637cd6ab9b424a3da6303d8a942e3f65e5c8dead053f936d43d0c030b629d69dd765e814414f77819264159befca3153a73dbbc56e6ef7b8a22 |
memory/4152-249-0x00000000002A0000-0x00000000002A6000-memory.dmp
memory/4152-251-0x00000000002A0000-0x00000000002A6000-memory.dmp
memory/1104-259-0x00000000008F0000-0x00000000008F6000-memory.dmp
memory/1104-260-0x00007FF81F510000-0x00007FF81F511000-memory.dmp
memory/1104-261-0x00007FF81F500000-0x00007FF81F501000-memory.dmp
memory/1104-262-0x00007FF81F520000-0x00007FF81F521000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441
| MD5 | e182d1ceeee02759bf30d0ab0471e5c5 |
| SHA1 | 5b85aff1f2da0bf1eb42ee442da570eb4ebdaed0 |
| SHA256 | d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508 |
| SHA512 | ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441
| MD5 | d92d6f6e558feeba04ae607f32188797 |
| SHA1 | 4614886948c786fb11624565d286a0e335341258 |
| SHA256 | 92a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1 |
| SHA512 | eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\e0bee7a87144477691d16ad010aabda5_1
| MD5 | 3976ce2fbf0e4176ae1b98488e64379f |
| SHA1 | 96f428eb2142b24380377962f810f6c197954740 |
| SHA256 | 2862d16805330483a404ad4d992c25dbdd056419dfbf5ff65806accf545f2647 |
| SHA512 | 76ec1e05eb6d3a496f67c7d23db884d5a9969f439e6ce8cec943363af83a7bdb6f02ac017ab82e3b03d370cef4e94611a4d184ae59c0ac5017b7ac346e1bea38 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c9a0a1cfbbb84ed0b32d4769a7d5327a_1
| MD5 | 68362d456116db4b16691c82cfa1b600 |
| SHA1 | 38763f9d1c9ebab786e47041cccd6de5f6de9e7a |
| SHA256 | 1ffba4c61713ddb0196e85320aacacccd04b6f9109a6a4f6b83b20f2baad61bc |
| SHA512 | b9d5f17e855e652f24e17022a835057bc5fabe8039b0b16963836e586558ac2dfa38edd101b9496f237e2aa34dc051a360cc5b02b4974d9679658feb58fa26da |
memory/1104-276-0x00000000008F0000-0x00000000008F6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 08:57
Reported
2023-10-31 11:24
Platform
win7-20231020-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\81307C31 = "C:\\Users\\Admin\\AppData\\Roaming\\81307C31\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | uyhgqunqkxnx.pw | udp |
| NL | 192.42.116.41:80 | uyhgqunqkxnx.pw | tcp |
| US | 8.8.8.8:53 | vcklmnnejwxx.pw | udp |
| US | 216.218.185.162:80 | vcklmnnejwxx.pw | tcp |
Files
memory/1732-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1732-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1732-3-0x0000000001D60000-0x0000000002760000-memory.dmp
memory/1216-2-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/2900-4-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1216-6-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/2900-10-0x0000000077010000-0x0000000077011000-memory.dmp
memory/1216-11-0x0000000076E61000-0x0000000076E62000-memory.dmp
memory/2900-9-0x000000007700F000-0x0000000077011000-memory.dmp
memory/2900-8-0x000000007700F000-0x0000000077010000-memory.dmp
memory/2900-7-0x0000000000430000-0x0000000000446000-memory.dmp
memory/1732-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1732-13-0x0000000001D60000-0x0000000002760000-memory.dmp
memory/2900-15-0x0000000000140000-0x0000000000146000-memory.dmp
memory/2900-16-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1216-17-0x0000000076FF0000-0x0000000076FF1000-memory.dmp
memory/1104-21-0x0000000001BC0000-0x0000000001BC6000-memory.dmp
memory/1104-22-0x0000000076E61000-0x0000000076E62000-memory.dmp
memory/2900-24-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1152-26-0x0000000001AC0000-0x0000000001AC6000-memory.dmp
memory/1216-27-0x0000000002B70000-0x0000000002B76000-memory.dmp
memory/1216-28-0x0000000002B70000-0x0000000002B76000-memory.dmp
memory/2900-32-0x00000000001A0000-0x00000000001A1000-memory.dmp