Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

NEAS.482c3...20.exe

windows7-x64

10

NEAS.482c3...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe

  • Size

    45KB

  • MD5

    482c3e2e3cc73e69e1536e0a85385d20

  • SHA1

    9a272ba2fc4ee358f3b01a4c8845cbf42e95c104

  • SHA256

    10b7fb1e6549953e9f90379ba2ec971514ea9047da7a1312c397d6238e28b01a

  • SHA512

    84c1e0d8f4dfae544d6c39d356a3f0e92e9d22dba6478dd583e4b513c47efadabf2823ae4c9af5a981a01da71d2992a3c4ae4684fd73abaf6fabaa2145b76330

  • SSDEEP

    768:bhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:dsWE9N5dFu53dsniQaB/xZ14n7zIF+qr

Score
10/10
tinbabankerpersistencetrojanupx

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\winver.exe
        winver
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2176
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1120-26-0x00000000001A0000-0x00000000001A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1180-24-0x0000000001AC0000-0x0000000001AC6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1180-21-0x0000000001AC0000-0x0000000001AC6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1180-25-0x0000000077351000-0x0000000077352000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1260-1-0x0000000000020000-0x0000000000021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1260-3-0x0000000001BB0000-0x00000000025B0000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/1260-13-0x0000000001BB0000-0x00000000025B0000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/1260-12-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1260-0-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1268-2-0x0000000002A10000-0x0000000002A16000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1268-11-0x0000000077351000-0x0000000077352000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1268-6-0x0000000002A10000-0x0000000002A16000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1268-27-0x00000000029C0000-0x00000000029C6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1268-14-0x00000000774E0000-0x00000000774E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1268-23-0x00000000029C0000-0x00000000029C6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2176-7-0x0000000000600000-0x0000000000616000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2176-17-0x00000000000D0000-0x00000000000D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-16-0x0000000000090000-0x0000000000096000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2176-8-0x00000000774FF000-0x0000000077500000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-9-0x00000000774FF000-0x0000000077501000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2176-10-0x0000000077500000-0x0000000077501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-4-0x0000000000090000-0x0000000000096000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2176-31-0x0000000000190000-0x0000000000191000-memory.dmp

        Filesize

        4KB

        Download