tinba | ee08501afc61510a6d102611ae2516987b2b4ce4bf18ae4a8e3aee1bbc5d5647

General

Target

9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe
Size

225KB
MD5

9b46256f28d4672b60b68cf5284ec690
SHA1

da4654ed7f7d7e6ce3a91b7a73e20ac879c70d34
SHA256

ee08501afc61510a6d102611ae2516987b2b4ce4bf18ae4a8e3aee1bbc5d5647
SHA512

1158f0d16ead8fb831819006f3bf70a9ed82453c4f9383199f6d21238ec2336b3d7f74a3257ac13bb559c84619bf0ded31503925bcac623c65d9c5aaeb75b7e0
SSDEEP

6144:5A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:5ATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\9ED35FF8 = "C:\\Users\\Admin\\AppData\\Roaming\\9ED35FF8\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

winver.exe

pid	process
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe
2636	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2636 winver.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 956 wrote to memory of 2636	956	9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe	winver.exe
PID 956 wrote to memory of 2636	956	9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe	winver.exe
PID 956 wrote to memory of 2636	956	9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe	winver.exe
PID 956 wrote to memory of 2636	956	9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe	winver.exe
PID 956 wrote to memory of 2636	956	9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe	winver.exe
PID 2636 wrote to memory of 1188	2636	winver.exe	Explorer.EXE
PID 2636 wrote to memory of 1112	2636	winver.exe	taskhost.exe
PID 2636 wrote to memory of 1164	2636	winver.exe	Dwm.exe
PID 2636 wrote to memory of 1188	2636	winver.exe	Explorer.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b46256f28d4672b60b68cf5284ec690_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-21-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1112-11-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1164-23-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1164-14-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1188-1-0x0000000002D20000-0x0000000002D26000-memory.dmp

Filesize
24KB

Download
memory/1188-17-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/1188-3-0x0000000002D20000-0x0000000002D26000-memory.dmp

Filesize
24KB

Download
memory/1188-6-0x0000000002D20000-0x0000000002D26000-memory.dmp

Filesize
24KB

Download
memory/1188-22-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/2636-20-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/2636-4-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2636-25-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads