Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16/09/2022, 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    392KB

  • MD5

    3e74f8779fd525355e262cca7d5197ea

  • SHA1

    a7c8b45b9695e485d276ff2f45897722168abf35

  • SHA256

    1faf2a191de3233262fab81e8ffb9a58314019b06f76fb43798bd194897a3935

  • SHA512

    60ffecf1661de9a700d30b6e7de653c236eef2f8c4605f6a0810804b7c4dc91c8e8ad746ae007b0f5c2fd5377e10cadbc52657c3de071bb0147e3b5503da1167

  • SSDEEP

    6144:x5WhuS3kEPa/aW8W7OtTL+EDV4WafP9dhwQKf0PBV3nigabwVf:x5OuS3yFrEDV4NfCQB73i

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "file.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2012-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2012-56-0x0000000000220000-0x0000000000262000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2012-55-0x00000000008CB000-0x00000000008F2000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2012-57-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2012-59-0x00000000008CB000-0x00000000008F2000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2012-60-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download