tinba | 7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3

General

Target

7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe
Size

225KB
MD5

aa7cadcf1b6074aa56d2c27252f45310
SHA1

5330374c02fd085b5086d876a7b40b728ef73429
SHA256

7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3
SHA512

78cb79d2cc61d0d9709dbe0777385f1ea8bd6bf2c0568a2db1cc24ea7951982ba1f3bbd519ead5bfc674ad55ab424bfd03b7f58157490cd2fc93d42fc3740538
SSDEEP

6144:pA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:pATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\607BDD67 = "C:\\Users\\Admin\\AppData\\Roaming\\607BDD67\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

winver.exe

pid	process
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe
2996	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2996 winver.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 2076 wrote to memory of 2996	2076	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe	winver.exe
PID 2076 wrote to memory of 2996	2076	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe	winver.exe
PID 2076 wrote to memory of 2996	2076	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe	winver.exe
PID 2076 wrote to memory of 2996	2076	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe	winver.exe
PID 2076 wrote to memory of 2996	2076	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe	winver.exe
PID 2996 wrote to memory of 1204	2996	winver.exe	Explorer.EXE
PID 2996 wrote to memory of 1112	2996	winver.exe	taskhost.exe
PID 2996 wrote to memory of 1172	2996	winver.exe	Dwm.exe
PID 2996 wrote to memory of 1204	2996	winver.exe	Explorer.EXE
PID 2996 wrote to memory of 2076	2996	winver.exe	7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7b0062a7a54ced9bf8f7998c36b97f1dce06b8b8e081c654cf12c508463ff9c3_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-11-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1112-23-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1172-25-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1172-14-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1204-3-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1204-17-0x0000000002D10000-0x0000000002D16000-memory.dmp

Filesize
24KB

Download
memory/1204-1-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1204-6-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1204-24-0x0000000002D10000-0x0000000002D16000-memory.dmp

Filesize
24KB

Download
memory/2076-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-4-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/2996-22-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2996-27-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads