Overview

overview

10

Static

static

3

0db543eb63...cs.exe

windows7-x64

10

0db543eb63...cs.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0db543eb6303a474b1011164df96a480_NeikiAnalytics.exe

  • Size

    44KB

  • MD5

    0db543eb6303a474b1011164df96a480

  • SHA1

    40eec54c64cf443e00c4b93ce20516f62e94faf1

  • SHA256

    9ecd6945095a31341e55bf45ebbec061714a9cdbdb4dac3478b1d673458a67df

  • SHA512

    1f2fc42ec2723836f1d21e8b8f0b3437889b3194ee4c9f26cd9f373fd7a520f2164b6dfcb5601f003ca48f0421c2ca1e98c18debb7edbaf4b4bfe14227b59ff8

  • SSDEEP

    768:F3u9+vWm9aIbisNVEK2c28bpM2dBOsRxIVSJRwBlc:Fe9matCeUHUVSJRG

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1096
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\0db543eb6303a474b1011164df96a480_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\0db543eb6303a474b1011164df96a480_NeikiAnalytics.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Windows\SysWOW64\winver.exe
              winver
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3020

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1096-27-0x0000000000260000-0x0000000000266000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1160-20-0x0000000000140000-0x0000000000146000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1160-25-0x00000000772B1000-0x00000000772B2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1160-24-0x0000000000140000-0x0000000000146000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-6-0x00000000020B0000-0x00000000020B6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-22-0x00000000020C0000-0x00000000020C6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-13-0x00000000772B1000-0x00000000772B2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-28-0x00000000020C0000-0x00000000020C6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-3-0x00000000020B0000-0x00000000020B6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1204-2-0x00000000020B0000-0x00000000020B6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2132-7-0x0000000002290000-0x0000000002C90000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/2132-1-0x0000000000260000-0x0000000000261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2132-0-0x0000000000400000-0x000000000040B000-memory.dmp
          Filesize

          44KB

          Download
        • memory/2132-26-0x0000000002290000-0x0000000002C90000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/3020-12-0x00000000004F0000-0x00000000004F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3020-8-0x0000000000130000-0x0000000000136000-memory.dmp
          Filesize

          24KB

          Download
        • memory/3020-9-0x0000000077460000-0x0000000077461000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3020-10-0x000000007745F000-0x0000000077460000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3020-4-0x0000000000130000-0x0000000000136000-memory.dmp
          Filesize

          24KB

          Download
        • memory/3020-11-0x000000007745F000-0x0000000077461000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-14-0x0000000077260000-0x0000000077409000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3020-33-0x0000000000130000-0x0000000000136000-memory.dmp
          Filesize

          24KB

          Download