Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/09/2022, 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    284KB

  • MD5

    5cd9388b0e60981c36bc0553a1ca540a

  • SHA1

    3227b002a4f6b6e0b1962ca395133b1dc8c77e84

  • SHA256

    4ccaf0fd0ebf9417aae0e341166b21f3429908e3710d1c745344c399893cb669

  • SHA512

    7d820dc13a8d8ca8d4798038b1d94122615c5b5f413f9c5de41eb2692ed0a512a6266751d12e8084b20f06ccc7e44f374f471a746c20287a98218b3a357126cc

  • SSDEEP

    3072:FJOaLxo02cb5wPpkxYlpkqYSegeCgdLQjNHg7RA+zVRCnWPaVZdiuhz82Dk+Exx1:fLd2VBl3HgNQjF+zV8WPG5Fw+qx32AY

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 11 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 464
      2⤵
      • Program crash
      PID:2976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 768
      2⤵
      • Program crash
      PID:4820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 776
      2⤵
      • Program crash
      PID:4692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 800
      2⤵
      • Program crash
      PID:4160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 780
      2⤵
      • Program crash
      PID:1884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 928
      2⤵
      • Program crash
      PID:4880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 932
      2⤵
      • Program crash
      PID:5108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1376
      2⤵
      • Program crash
      PID:3196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe
        "C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1376
      2⤵
      • Program crash
      PID:1664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1648
      2⤵
      • Program crash
      PID:4200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "file.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1144
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1360
      2⤵
      • Program crash
      PID:3264
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4760 -ip 4760
    1⤵
      PID:1688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4760 -ip 4760
      1⤵
        PID:3932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4760 -ip 4760
        1⤵
          PID:4772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4760 -ip 4760
          1⤵
            PID:3760
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4760 -ip 4760
            1⤵
              PID:732
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760
              1⤵
                PID:2384
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
                1⤵
                  PID:616
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4760 -ip 4760
                  1⤵
                    PID:2644
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
                    1⤵
                      PID:4036
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
                      1⤵
                        PID:4832
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4760 -ip 4760
                        1⤵
                          PID:2672

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Bunifu_UI_v1.5.3.dll
                          Filesize

                          236KB

                          MD5

                          2ecb51ab00c5f340380ecf849291dbcf

                          SHA1

                          1a4dffbce2a4ce65495ed79eab42a4da3b660931

                          SHA256

                          f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

                          SHA512

                          e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe
                          Filesize

                          3.8MB

                          MD5

                          23c1e8f48ec06960bbd9969c1f404192

                          SHA1

                          b9384151eb3f2dbd095fa273c248722e1cc74ea3

                          SHA256

                          301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

                          SHA512

                          f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe
                          Filesize

                          3.8MB

                          MD5

                          23c1e8f48ec06960bbd9969c1f404192

                          SHA1

                          b9384151eb3f2dbd095fa273c248722e1cc74ea3

                          SHA256

                          301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

                          SHA512

                          f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

                          Download Submit

                        • memory/2312-144-0x00007FFB92040000-0x00007FFB92B01000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2312-141-0x0000026B01A70000-0x0000026B01BF0000-memory.dmp

                          Filesize

                          1.5MB

                          Download

                        • memory/2312-143-0x0000026B037E0000-0x0000026B03822000-memory.dmp

                          Filesize

                          264KB

                          Download

                        • memory/2312-145-0x00007FFB92040000-0x00007FFB92B01000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4760-137-0x0000000000400000-0x00000000005A1000-memory.dmp

                          Filesize

                          1.6MB

                          Download

                        • memory/4760-136-0x0000000000609000-0x000000000062F000-memory.dmp

                          Filesize

                          152KB

                          Download

                        • memory/4760-132-0x0000000000609000-0x000000000062F000-memory.dmp

                          Filesize

                          152KB

                          Download

                        • memory/4760-146-0x0000000010000000-0x000000001001B000-memory.dmp

                          Filesize

                          108KB

                          Download

                        • memory/4760-134-0x0000000000400000-0x00000000005A1000-memory.dmp

                          Filesize

                          1.6MB

                          Download

                        • memory/4760-133-0x00000000021A0000-0x00000000021DF000-memory.dmp

                          Filesize

                          252KB

                          Download

                        • memory/4760-152-0x0000000000400000-0x00000000005A1000-memory.dmp

                          Filesize

                          1.6MB

                          Download