nymaim | e8638c41223f671b889dfd47b715053395d0ed4c5cae4690a1efd8ad73285545

General

Target

file.exe
Size

284KB
MD5

e0663b43a4ddd17bdca98000cca9cbf7
SHA1

36bb48bc564dd672fd3e1a390024e463ff81c48c
SHA256

e8638c41223f671b889dfd47b715053395d0ed4c5cae4690a1efd8ad73285545
SHA512

13dc899e129a16242b9c1c75869cafda10502ddecfd241cbc7d4015e6de91d5a998a51f99984b6a6ac833c9f60dab8e2e6b457abe57f292e672a3b748b96e446
SSDEEP

3072:wt2AIALOjEjz5N5Dpzd/Ox95/jV/7RdMgq92lvKYDYGOULHqsOUAjs9+J1sYPNq1:kLzjRxEXdV/rbyGXYGOUVOUAjskqYP

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Cleaner.exe

pid process

1164 Cleaner.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1140 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1940 1164 WerFault.exe Cleaner.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1060 taskkill.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

file.exe

pid process

1044 file.exe
1044 file.exe
1044 file.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Cleaner.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1164 Cleaner.exe
Token: SeDebugPrivilege 1060 taskkill.exe

pid	process
1164	Cleaner.exe

pid	process
1140	cmd.exe

pid	process
1784	cmd.exe

pid	pid_target	process	target process
1940	1164	WerFault.exe	Cleaner.exe

pid	process
1060	taskkill.exe

pid	process
1044	file.exe
1044	file.exe
1044	file.exe

description	pid	process
Token: SeDebugPrivilege	1164	Cleaner.exe
Token: SeDebugPrivilege	1060	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

file.execmd.exeCleaner.execmd.exe

description	pid	process	target process
PID 1044 wrote to memory of 1784	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1784	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1784	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1784	1044	file.exe	cmd.exe
PID 1784 wrote to memory of 1164	1784	cmd.exe	Cleaner.exe
PID 1784 wrote to memory of 1164	1784	cmd.exe	Cleaner.exe
PID 1784 wrote to memory of 1164	1784	cmd.exe	Cleaner.exe
PID 1784 wrote to memory of 1164	1784	cmd.exe	Cleaner.exe
PID 1164 wrote to memory of 1940	1164	Cleaner.exe	WerFault.exe
PID 1164 wrote to memory of 1940	1164	Cleaner.exe	WerFault.exe
PID 1164 wrote to memory of 1940	1164	Cleaner.exe	WerFault.exe
PID 1044 wrote to memory of 1140	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1140	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1140	1044	file.exe	cmd.exe
PID 1044 wrote to memory of 1140	1044	file.exe	cmd.exe
PID 1140 wrote to memory of 1060	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 1060	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 1060	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 1060	1140	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1164 -s 1144
4⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "file.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Bunifu_UI_v1.5.3.dll
Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe
Filesize
3.8MB

MD5
23c1e8f48ec06960bbd9969c1f404192

SHA1
b9384151eb3f2dbd095fa273c248722e1cc74ea3

SHA256
301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

SHA512
f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe
Filesize
3.8MB

MD5
23c1e8f48ec06960bbd9969c1f404192

SHA1
b9384151eb3f2dbd095fa273c248722e1cc74ea3

SHA256
301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

SHA512
f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\3XHE6G4kBF4bHwUMdZxdUkNFcr2P\Cleaner.exe
Filesize
3.8MB

MD5
23c1e8f48ec06960bbd9969c1f404192

SHA1
b9384151eb3f2dbd095fa273c248722e1cc74ea3

SHA256
301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

SHA512
f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

Download Submit
memory/1044-57-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1044-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1044-70-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1044-56-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1044-76-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1044-64-0x000000000064B000-0x0000000000672000-memory.dmp

Filesize
156KB

Download
memory/1044-65-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1044-75-0x000000000064B000-0x0000000000672000-memory.dmp

Filesize
156KB

Download
memory/1044-55-0x000000000064B000-0x0000000000672000-memory.dmp

Filesize
156KB

Download
memory/1060-77-0x0000000000000000-mapping.dmp

Download
memory/1140-74-0x0000000000000000-mapping.dmp

Download
memory/1164-60-0x0000000000000000-mapping.dmp

Download
memory/1164-68-0x0000000000580000-0x00000000005C2000-memory.dmp

Filesize
264KB

Download
memory/1164-66-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1164-63-0x00000000000E0000-0x0000000000260000-memory.dmp

Filesize
1.5MB

Download
memory/1784-58-0x0000000000000000-mapping.dmp

Download
memory/1940-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing