tinba | 14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0

General

Target

14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe
Size

98KB
MD5

6a0c4119d7dd196e93cec0fccb910160
SHA1

ca846aa4242332340d03342962d136e70492896e
SHA256

14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0
SHA512

8286ac1ed176538621a045d63609b4936df8508f38302c92b44be401d61815782cc09b97fde3eb813c5b823061bf83818db881aa0403a8c573d516ea733ed1f6
SSDEEP

768:q+6p+OMlgGMCWhfDzU7f7JDgi9I57+sByZ+XsfXpwtG9ipelU9JF:q+mFM2HXKZgi9Iksu+XM57ipeq9JF

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\83DF87EB = "C:\\Users\\Admin\\AppData\\Roaming\\83DF87EB\\bin.exe"	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe
2752	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2752 winver.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 1968 wrote to memory of 2752	1968	14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe	winver.exe
PID 1968 wrote to memory of 2752	1968	14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe	winver.exe
PID 1968 wrote to memory of 2752	1968	14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe	winver.exe
PID 1968 wrote to memory of 2752	1968	14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe	winver.exe
PID 1968 wrote to memory of 2752	1968	14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe	winver.exe
PID 2752 wrote to memory of 1196	2752	winver.exe	Explorer.EXE
PID 2752 wrote to memory of 1068	2752	winver.exe	taskhost.exe
PID 2752 wrote to memory of 1124	2752	winver.exe	Dwm.exe
PID 2752 wrote to memory of 1196	2752	winver.exe	Explorer.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14f66ddee592fcad0dca990e27e87dcd52517035079b23062869bb2bf0ef17e0_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-21-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1068-22-0x0000000077681000-0x0000000077682000-memory.dmp

Filesize
4KB

Download
memory/1124-18-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/1124-23-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/1196-20-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1196-3-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/1196-2-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/1196-1-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/1196-9-0x0000000077681000-0x0000000077682000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1968-4-0x0000000001CF0000-0x00000000026F0000-memory.dmp

Filesize
10.0MB

Download
memory/1968-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1968-12-0x0000000001CF0000-0x00000000026F0000-memory.dmp

Filesize
10.0MB

Download
memory/1968-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2752-5-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/2752-6-0x0000000077830000-0x0000000077831000-memory.dmp

Filesize
4KB

Download
memory/2752-7-0x000000007782F000-0x0000000077830000-memory.dmp

Filesize
4KB

Download
memory/2752-8-0x000000007782F000-0x0000000077831000-memory.dmp

Filesize
8KB

Download
memory/2752-10-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/2752-28-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads