tinba | 0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487

General

Target

0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe
Size

225KB
MD5

dc9862e215fcef69bce013c37a0a6e80
SHA1

b82a77b988adb1cd883806d4bd1a6fe8898f027c
SHA256

0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487
SHA512

7704054733bbb62451de79edc19e179ef398e41c439ddbe50f4f3ca97dbe005767f9c0ae0ec6749e140025c9a890bb2f638b1182000411e63b301db65ec5ab93
SSDEEP

6144:xA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:xATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFFF5C3A = "C:\\Users\\Admin\\AppData\\Roaming\\CFFF5C3A\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe
4600	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

4600 winver.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 3292 wrote to memory of 4600	3292	0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe	winver.exe
PID 3292 wrote to memory of 4600	3292	0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe	winver.exe
PID 3292 wrote to memory of 4600	3292	0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe	winver.exe
PID 3292 wrote to memory of 4600	3292	0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe	winver.exe
PID 4600 wrote to memory of 3332	4600	winver.exe	Explorer.EXE
PID 4600 wrote to memory of 2572	4600	winver.exe	sihost.exe
PID 4600 wrote to memory of 2580	4600	winver.exe	svchost.exe
PID 4600 wrote to memory of 2824	4600	winver.exe	taskhostw.exe
PID 4600 wrote to memory of 3332	4600	winver.exe	Explorer.EXE
PID 4600 wrote to memory of 3512	4600	winver.exe	svchost.exe
PID 4600 wrote to memory of 3712	4600	winver.exe	DllHost.exe
PID 4600 wrote to memory of 3856	4600	winver.exe	StartMenuExperienceHost.exe
PID 4600 wrote to memory of 3932	4600	winver.exe	RuntimeBroker.exe
PID 4600 wrote to memory of 4016	4600	winver.exe	SearchApp.exe
PID 4600 wrote to memory of 3444	4600	winver.exe	RuntimeBroker.exe
PID 4600 wrote to memory of 4704	4600	winver.exe	RuntimeBroker.exe
PID 4600 wrote to memory of 4332	4600	winver.exe	TextInputHost.exe
PID 4600 wrote to memory of 2368	4600	winver.exe	RuntimeBroker.exe
PID 4600 wrote to memory of 3008	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 4916	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 3580	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 2724	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 3452	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 3032	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 3920	4600	winver.exe	msedge.exe
PID 4600 wrote to memory of 3292	4600	winver.exe	0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe
PID 4600 wrote to memory of 4940	4600	winver.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2824

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0208ce58440e22189132e995568b36519b3e8233a98d3fd384a2e27406638487_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffc9b282e98,0x7ffc9b282ea4,0x7ffc9b282eb0
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2652 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:2
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:3
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2860 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
2⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5424 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5580 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
2⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5072 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
2⤵
PID:4940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-38-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/2368-22-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/2572-29-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/2572-10-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/2580-11-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2580-27-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2824-12-0x00000000008A0000-0x00000000008A6000-memory.dmp

Filesize
24KB

Download
memory/2824-34-0x00000000008A0000-0x00000000008A6000-memory.dmp

Filesize
24KB

Download
memory/3292-1-0x0000000004590000-0x0000000004BE8000-memory.dmp

Filesize
6.3MB

Download
memory/3292-4-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/3292-3-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/3292-26-0x0000000004590000-0x0000000004BE8000-memory.dmp

Filesize
6.3MB

Download
memory/3292-2-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/3292-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3332-9-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/3332-28-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/3332-13-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/3332-6-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/3444-19-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/3444-37-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/3512-14-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3512-32-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3712-33-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/3712-15-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/3856-31-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/3856-16-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/3932-30-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/3932-17-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/4016-18-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/4332-21-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/4332-35-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/4600-23-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/4600-7-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/4600-40-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/4704-20-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/4704-36-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads