Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    284KB

  • MD5

    7c8fa3a31691bc212a3903c922efbabc

  • SHA1

    7e5c6794c3973a4407574e3a29bd4a4200805f69

  • SHA256

    7ed19db28d8c8a77f137e6e0cd14371e0983b41ebd310ef27f427ed82a2ad71e

  • SHA512

    41ea1ce1bc14d607c71efa55917ddb3611bf518250298fc098bcebeb21af627bcb993e37688218a23cbd4feafeabee121f5382c16dd6715430005f551bc0e973

  • SSDEEP

    3072:3d+gsLMzdt9gN5+zrb5NYL2ae/XXbjcvoDxjHbP1PKYjZoVhawPCJTgXUBV8/Pkw:sLwX/1NYa/Xbjcv+JbP1PfloVhLPC

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 12 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 456
      2⤵
      • Program crash
      PID:4868
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 764
      2⤵
      • Program crash
      PID:4860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 764
      2⤵
      • Program crash
      PID:1664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 764
      2⤵
      • Program crash
      PID:1292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 812
      2⤵
      • Program crash
      PID:3404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 844
      2⤵
      • Program crash
      PID:1368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1000
      2⤵
      • Program crash
      PID:1520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1152
      2⤵
      • Program crash
      PID:2352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1416
      2⤵
      • Program crash
      PID:3824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Cleaner.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Cleaner.exe
        "C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Cleaner.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1428
      2⤵
      • Program crash
      PID:1608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1672
      2⤵
      • Program crash
      PID:4392
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "file.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 468
      2⤵
      • Program crash
      PID:3276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3092 -ip 3092
    1⤵
      PID:4764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3092 -ip 3092
      1⤵
        PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3092 -ip 3092
        1⤵
          PID:4648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3092 -ip 3092
          1⤵
            PID:1412
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3092 -ip 3092
            1⤵
              PID:1068
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3092 -ip 3092
              1⤵
                PID:2312
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3092 -ip 3092
                1⤵
                  PID:2176
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3092 -ip 3092
                  1⤵
                    PID:224
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3092 -ip 3092
                    1⤵
                      PID:2736
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3092 -ip 3092
                      1⤵
                        PID:1800
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3092 -ip 3092
                        1⤵
                          PID:2084
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3092 -ip 3092
                          1⤵
                            PID:3360

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Discovery

                          Query Registry

                          1
                          T1012

                          System Information Discovery

                          2
                          T1082

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Web Service

                          1
                          T1102

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Bunifu_UI_v1.5.3.dll
                            Filesize

                            236KB

                            MD5

                            2ecb51ab00c5f340380ecf849291dbcf

                            SHA1

                            1a4dffbce2a4ce65495ed79eab42a4da3b660931

                            SHA256

                            f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

                            SHA512

                            e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Cleaner.exe
                            Filesize

                            3.8MB

                            MD5

                            23c1e8f48ec06960bbd9969c1f404192

                            SHA1

                            b9384151eb3f2dbd095fa273c248722e1cc74ea3

                            SHA256

                            301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

                            SHA512

                            f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\JeO9x9q4\Cleaner.exe
                            Filesize

                            3.8MB

                            MD5

                            23c1e8f48ec06960bbd9969c1f404192

                            SHA1

                            b9384151eb3f2dbd095fa273c248722e1cc74ea3

                            SHA256

                            301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

                            SHA512

                            f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

                            Download Submit
                          • memory/3092-144-0x0000000000400000-0x00000000005A1000-memory.dmp
                            Filesize

                            1.6MB

                            Download
                          • memory/3092-133-0x00000000022F0000-0x000000000232F000-memory.dmp
                            Filesize

                            252KB

                            Download
                          • memory/3092-134-0x0000000000400000-0x00000000005A1000-memory.dmp
                            Filesize

                            1.6MB

                            Download
                          • memory/3092-132-0x0000000000679000-0x000000000069F000-memory.dmp
                            Filesize

                            152KB

                            Download
                          • memory/3092-152-0x0000000000400000-0x00000000005A1000-memory.dmp
                            Filesize

                            1.6MB

                            Download
                          • memory/3092-146-0x0000000010000000-0x000000001001B000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/3092-143-0x0000000000679000-0x000000000069F000-memory.dmp
                            Filesize

                            152KB

                            Download
                          • memory/3540-135-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3880-151-0x0000000000000000-mapping.dmp
                            Download
                          • memory/4112-136-0x0000000000000000-mapping.dmp
                            Download
                          • memory/4112-145-0x00007FFE80CB0000-0x00007FFE81771000-memory.dmp
                            Filesize

                            10.8MB

                            Download
                          • memory/4112-142-0x00007FFE80CB0000-0x00007FFE81771000-memory.dmp
                            Filesize

                            10.8MB

                            Download
                          • memory/4112-141-0x0000015CA1340000-0x0000015CA1382000-memory.dmp
                            Filesize

                            264KB

                            Download
                          • memory/4112-139-0x0000015C85C20000-0x0000015C85DA0000-memory.dmp
                            Filesize

                            1.5MB

                            Download
                          • memory/5056-150-0x0000000000000000-mapping.dmp
                            Download