nymaim | 21399a0ba530065b123a8e27789516d3b5bc3524f399b54fcec1df2a8cf54a01

General

Target

2185f9871584f842f3860887b2b05c5e.exe
Size

5.1MB
MD5

2185f9871584f842f3860887b2b05c5e
SHA1

f7ff56cf61da3989bf014f06f5372de1b33ded93
SHA256

21399a0ba530065b123a8e27789516d3b5bc3524f399b54fcec1df2a8cf54a01
SHA512

fdcd621fa19139d2ca84145d02ac2a87bb8058d737889e85e0a5101a2f9916bdd1c1a794becaa35042c97cb56704ba0ae5cfd13f26f1b2ee6518efac3babf23a
SSDEEP

49152:2PFJCvLqOaSTK5ISawpVpVliC8TkxY+kut4pRju5lhnsVfB0n7:2PFsjqOaSFUK+kumpRyBsV50n7

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 2 IoCs

pid	Process
1152	syctem.exe
948	syctem.exe

Loads dropped DLL 2 IoCs

pid	Process
1464	2185f9871584f842f3860887b2b05c5e.exe
1464	2185f9871584f842f3860887b2b05c5e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 948	1152	syctem.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1004	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1152	1464	2185f9871584f842f3860887b2b05c5e.exe	26
PID 1464 wrote to memory of 1152	1464	2185f9871584f842f3860887b2b05c5e.exe	26
PID 1464 wrote to memory of 1152	1464	2185f9871584f842f3860887b2b05c5e.exe	26
PID 1464 wrote to memory of 1152	1464	2185f9871584f842f3860887b2b05c5e.exe	26
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 1152 wrote to memory of 948	1152	syctem.exe	27
PID 948 wrote to memory of 1840	948	syctem.exe	30
PID 948 wrote to memory of 1840	948	syctem.exe	30
PID 948 wrote to memory of 1840	948	syctem.exe	30
PID 948 wrote to memory of 1840	948	syctem.exe	30
PID 1840 wrote to memory of 1004	1840	cmd.exe	32
PID 1840 wrote to memory of 1004	1840	cmd.exe	32
PID 1840 wrote to memory of 1004	1840	cmd.exe	32
PID 1840 wrote to memory of 1004	1840	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2185f9871584f842f3860887b2b05c5e.exe
"C:\Users\Admin\AppData\Local\Temp\2185f9871584f842f3860887b2b05c5e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464
- C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe
  "C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe
    "C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "syctem.exe" /f & erase "C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "syctem.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe

Filesize
1.4MB

MD5
9611edc9756cd88b1a5d4ffba1a6bd6a

SHA1
eef49dff573df3b8d26005943266097cb08f5753

SHA256
66de49238e75068fbe3933815dafad1b7f4e6f00980ca7598468b7907913d64e

SHA512
a5f56284ab266582fe367618f3897b00b90853f35b55fafa3a7b456d55f7a3e1a1c6b7b47421c97980813a0ee4193c5f3381d1e270c882f3e10b03ceec295540

Download Submit
C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe

Filesize
1.4MB

MD5
9611edc9756cd88b1a5d4ffba1a6bd6a

SHA1
eef49dff573df3b8d26005943266097cb08f5753

SHA256
66de49238e75068fbe3933815dafad1b7f4e6f00980ca7598468b7907913d64e

SHA512
a5f56284ab266582fe367618f3897b00b90853f35b55fafa3a7b456d55f7a3e1a1c6b7b47421c97980813a0ee4193c5f3381d1e270c882f3e10b03ceec295540

Download Submit
C:\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe

Filesize
1.4MB

MD5
9611edc9756cd88b1a5d4ffba1a6bd6a

SHA1
eef49dff573df3b8d26005943266097cb08f5753

SHA256
66de49238e75068fbe3933815dafad1b7f4e6f00980ca7598468b7907913d64e

SHA512
a5f56284ab266582fe367618f3897b00b90853f35b55fafa3a7b456d55f7a3e1a1c6b7b47421c97980813a0ee4193c5f3381d1e270c882f3e10b03ceec295540

Download Submit
\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe

Filesize
1.4MB

MD5
9611edc9756cd88b1a5d4ffba1a6bd6a

SHA1
eef49dff573df3b8d26005943266097cb08f5753

SHA256
66de49238e75068fbe3933815dafad1b7f4e6f00980ca7598468b7907913d64e

SHA512
a5f56284ab266582fe367618f3897b00b90853f35b55fafa3a7b456d55f7a3e1a1c6b7b47421c97980813a0ee4193c5f3381d1e270c882f3e10b03ceec295540

Download Submit
\ProgramData\All rights reserved 2022 Registered trademark of Corporation\Create a self Broadcast\Create a self Broadcast\{20ACABA4-D365D9-4DF4-B3fgdDA-2DF6A95A6318}\syctem.exe

Filesize
1.4MB

MD5
9611edc9756cd88b1a5d4ffba1a6bd6a

SHA1
eef49dff573df3b8d26005943266097cb08f5753

SHA256
66de49238e75068fbe3933815dafad1b7f4e6f00980ca7598468b7907913d64e

SHA512
a5f56284ab266582fe367618f3897b00b90853f35b55fafa3a7b456d55f7a3e1a1c6b7b47421c97980813a0ee4193c5f3381d1e270c882f3e10b03ceec295540

Download Submit
memory/948-62-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/948-60-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/948-68-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/948-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/948-73-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1152-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1464-69-0x0000000003640000-0x000000000368F000-memory.dmp

Filesize
316KB

Download
memory/1464-70-0x0000000003640000-0x000000000368F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing