Analysis Overview
SHA256
b637efe55a8e1fd3eb1ebfd8241701ecaf07d314d688cbe0b099cff47f5a4c64
Threat Level: Known bad
The file NEAS.aa982f552efc53ab125c5a8b1fbe3d70.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-05 19:59
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-05 19:59
Reported
2023-11-05 20:03
Platform
win7-20231023-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\A56C222A = "C:\\Users\\Admin\\AppData\\Roaming\\A56C222A\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.aa982f552efc53ab125c5a8b1fbe3d70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aa982f552efc53ab125c5a8b1fbe3d70.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | uyhgqunqkxnx.pw | udp |
| NL | 192.42.116.41:80 | uyhgqunqkxnx.pw | tcp |
| US | 8.8.8.8:53 | vcklmnnejwxx.pw | udp |
| US | 216.218.185.162:80 | vcklmnnejwxx.pw | tcp |
Files
memory/1724-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1724-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1724-3-0x0000000001D50000-0x0000000002750000-memory.dmp
memory/2452-5-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1204-4-0x0000000001DA0000-0x0000000001DA6000-memory.dmp
memory/1204-2-0x0000000001DA0000-0x0000000001DA6000-memory.dmp
memory/2452-8-0x000000007701F000-0x0000000077021000-memory.dmp
memory/1204-7-0x0000000001DA0000-0x0000000001DA6000-memory.dmp
memory/2452-6-0x000000007701F000-0x0000000077020000-memory.dmp
memory/2452-9-0x0000000077020000-0x0000000077021000-memory.dmp
memory/1204-10-0x0000000076E71000-0x0000000076E72000-memory.dmp
memory/2452-11-0x0000000000650000-0x0000000000666000-memory.dmp
memory/1724-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1724-13-0x0000000001D50000-0x0000000002750000-memory.dmp
memory/2452-16-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2452-15-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1100-20-0x0000000000390000-0x0000000000396000-memory.dmp
memory/1100-22-0x0000000076E71000-0x0000000076E72000-memory.dmp
memory/2452-24-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1172-28-0x00000000001A0000-0x00000000001A6000-memory.dmp
memory/1204-27-0x0000000002A80000-0x0000000002A86000-memory.dmp
memory/1204-26-0x0000000077000000-0x0000000077001000-memory.dmp
memory/1204-29-0x0000000002A80000-0x0000000002A86000-memory.dmp
memory/2452-33-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1204-34-0x0000000076FE0000-0x0000000076FE1000-memory.dmp
memory/1204-35-0x000007FEF64F0000-0x000007FEF6633000-memory.dmp
memory/1204-36-0x000007FEEDA10000-0x000007FEEDA1A000-memory.dmp
memory/1204-37-0x000007FEF64F0000-0x000007FEF6633000-memory.dmp
memory/1204-38-0x000007FEEDA10000-0x000007FEEDA1A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-05 19:59
Reported
2023-11-05 20:03
Platform
win10v2004-20231020-en
Max time kernel
8s
Max time network
12s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\56357F40 = "C:\\Users\\Admin\\AppData\\Roaming\\56357F40\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.aa982f552efc53ab125c5a8b1fbe3d70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aa982f552efc53ab125c5a8b1fbe3d70.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/4768-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4768-1-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/4768-2-0x0000000002250000-0x0000000002C50000-memory.dmp
memory/2200-4-0x00000000009F0000-0x00000000009F6000-memory.dmp
memory/2200-6-0x0000000077792000-0x0000000077793000-memory.dmp
memory/1444-7-0x00007FFE8B6CD000-0x00007FFE8B6CE000-memory.dmp
memory/1444-5-0x0000000000DE0000-0x0000000000DE6000-memory.dmp
memory/1444-3-0x0000000000DE0000-0x0000000000DE6000-memory.dmp
memory/4768-8-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4768-9-0x0000000002250000-0x0000000002C50000-memory.dmp
memory/1444-10-0x00007FFE8B860000-0x00007FFE8B861000-memory.dmp
memory/2200-12-0x00000000009F0000-0x00000000009F6000-memory.dmp
memory/2416-16-0x0000000000760000-0x0000000000766000-memory.dmp
memory/2292-15-0x0000000000460000-0x0000000000466000-memory.dmp
memory/2316-14-0x0000000000920000-0x0000000000926000-memory.dmp
memory/1444-17-0x0000000000E20000-0x0000000000E26000-memory.dmp
memory/2316-18-0x0000000000920000-0x0000000000926000-memory.dmp
memory/1444-20-0x0000000000E20000-0x0000000000E26000-memory.dmp
memory/3680-21-0x00000000006E0000-0x00000000006E6000-memory.dmp