Overview

overview

10

Static

static

7

c91cba1eef...cs.exe

windows7-x64

10

c91cba1eef...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c91cba1eef413febb2f0387c37c1f950_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    c91cba1eef413febb2f0387c37c1f950

  • SHA1

    b60091916937639d5d96fda8e3076da93ab21e59

  • SHA256

    69ae78f003483214915bfa9b8502affbf52d2f98195e74a73c7843d17f0e2479

  • SHA512

    a219c3c3ed321dc0f3d208f064b3311c78491fed145f46b61bc86dbaf75b8485b5871d790c7c7ce77c47a1fa5132111123ad3ab17b2455dbb6bcaf56c14a9f8d

  • SSDEEP

    768:yhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:+sWE9N5dFu53dsniQaB/xZ14n7zIF+qr

Score
10/10
tinbabankerpersistencetrojanupx

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1092
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\c91cba1eef413febb2f0387c37c1f950_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\c91cba1eef413febb2f0387c37c1f950_NeikiAnalytics.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2200

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1092-23-0x0000000077CD1000-0x0000000077CD2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1092-22-0x0000000000210000-0x0000000000216000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1168-19-0x0000000001DA0000-0x0000000001DA6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1168-25-0x0000000001DA0000-0x0000000001DA6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-4-0x0000000002530000-0x0000000002536000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-3-0x0000000002530000-0x0000000002536000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-2-0x0000000002530000-0x0000000002536000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-24-0x00000000024D0000-0x00000000024D6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-10-0x0000000077CD1000-0x0000000077CD2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-21-0x00000000024D0000-0x00000000024D6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1792-5-0x0000000001DB0000-0x00000000027B0000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1792-12-0x0000000000400000-0x000000000041D000-memory.dmp
          Filesize

          116KB

          Download
        • memory/1792-13-0x0000000001DB0000-0x00000000027B0000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1792-0-0x0000000000400000-0x000000000041D000-memory.dmp
          Filesize

          116KB

          Download
        • memory/1792-1-0x0000000000020000-0x0000000000021000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2200-6-0x0000000000220000-0x0000000000226000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2200-7-0x0000000077E80000-0x0000000077E81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2200-8-0x0000000077E7F000-0x0000000077E80000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2200-9-0x0000000077E7F000-0x0000000077E81000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2200-11-0x0000000077C80000-0x0000000077E29000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2200-29-0x0000000000220000-0x0000000000226000-memory.dmp
          Filesize

          24KB

          Download