tinba | 90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6

General

Target

90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe
Size

237KB
MD5

d2c7e9d1a2266dfdc26c1fb1df6a87b0
SHA1

428c172082a1b386eb86719968b4fcb45e65b9a6
SHA256

90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6
SHA512

3f3ac284090bc6fb30bc655a84797f2bc758de87357708f0864627d45cb54f55288cac564d633a3b936f8acca9829a46e653bbc340f19a61c3993130de9a6846
SSDEEP

6144:IA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:IATuTAnKGwUAWVycQqgj

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54F0E0A7 = "C:\\Users\\Admin\\AppData\\Roaming\\54F0E0A7\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe
5020	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

5020 winver.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 4452 wrote to memory of 5020	4452	90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe	winver.exe
PID 4452 wrote to memory of 5020	4452	90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe	winver.exe
PID 4452 wrote to memory of 5020	4452	90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe	winver.exe
PID 4452 wrote to memory of 5020	4452	90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe	winver.exe
PID 5020 wrote to memory of 3364	5020	winver.exe	Explorer.EXE
PID 5020 wrote to memory of 2460	5020	winver.exe	sihost.exe
PID 5020 wrote to memory of 2508	5020	winver.exe	svchost.exe
PID 5020 wrote to memory of 2632	5020	winver.exe	taskhostw.exe
PID 5020 wrote to memory of 3364	5020	winver.exe	Explorer.EXE
PID 5020 wrote to memory of 3544	5020	winver.exe	svchost.exe
PID 5020 wrote to memory of 3716	5020	winver.exe	DllHost.exe
PID 5020 wrote to memory of 3816	5020	winver.exe	StartMenuExperienceHost.exe
PID 5020 wrote to memory of 3920	5020	winver.exe	RuntimeBroker.exe
PID 5020 wrote to memory of 4008	5020	winver.exe	SearchApp.exe
PID 5020 wrote to memory of 3848	5020	winver.exe	RuntimeBroker.exe
PID 5020 wrote to memory of 4360	5020	winver.exe	RuntimeBroker.exe
PID 5020 wrote to memory of 3124	5020	winver.exe	TextInputHost.exe
PID 5020 wrote to memory of 320	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 2560	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 4604	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 3864	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 768	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 3172	5020	winver.exe	msedge.exe
PID 5020 wrote to memory of 4452	5020	winver.exe	90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe
PID 5020 wrote to memory of 3252	5020	winver.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\90dba29fcade78275c78d0471d85eaf0cf546f0b001379445191b59ada9914d6_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4360

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffe57e72e98,0x7ffe57e72ea4,0x7ffe57e72eb0
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:2
2⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:3
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2472 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5232 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
2⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5540 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
2⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
2⤵
PID:3252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
14efa5b02435907eca1826c989095ac6

SHA1
13bfb1a3d27eba9f7291c879517a3987a54d4d9f

SHA256
f67ee765a0bf78d17ef51015cc493cbcc7eacbf57ffc4cf5174c6dbc8edd20f6

SHA512
f2f0ad4e460c7cba0907063b2fff90627979ee2d95bc76321aa95712a1683352126c5a3ba3633e6c057e4760d74410af62d39f5612a3a3bf8723d69ce02b22f8

Download Submit
memory/2460-31-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/2460-8-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/2508-9-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/2508-30-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/2632-29-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

Filesize
24KB

Download
memory/2632-10-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

Filesize
24KB

Download
memory/3124-19-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/3124-32-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/3364-11-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/3364-4-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/3364-24-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/3364-7-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/3544-12-0x0000000000800000-0x0000000000806000-memory.dmp

Filesize
24KB

Download
memory/3544-27-0x0000000000800000-0x0000000000806000-memory.dmp

Filesize
24KB

Download
memory/3716-13-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/3716-28-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/3816-14-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

Filesize
24KB

Download
memory/3816-25-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

Filesize
24KB

Download
memory/3848-17-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/3848-34-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/3920-15-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/3920-26-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/4008-16-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/4360-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/4360-33-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/4452-23-0x00000000046D0000-0x0000000004D28000-memory.dmp

Filesize
6.3MB

Download
memory/4452-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-1-0x00000000046D0000-0x0000000004D28000-memory.dmp

Filesize
6.3MB

Download
memory/4452-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/5020-20-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/5020-5-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/5020-36-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads