nymaim | e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/09/2022, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe
Size

2.5MB
MD5

d33f5c381c8a2dc544c313355ba4eb64
SHA1

a342afff06633cacdb904c28ec7b78a8bfd559fd
SHA256

e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d
SHA512

77bd9d3a35129c392db6976279c32216e35e174a658fa03660b6a874391e3d048f640546eef2094fe5498d495726359581ba2c2a81775f66a23eeec397157417
SSDEEP

49152:AGdM6Fyam6/shkFP63zokMa5YY1ukGkF9JSjKpjLU4PRsZwYxWNFNg9zSsqOOKX:ddM8x/ukFyZ5F1uK/Jl84WZwY4NFNg97

Score

10^/10

nymaim discovery trojan

Malware Config

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 2 IoCs

pid	Process
2016	is-41K7G.tmp
1696	ccsearcher.exe

Loads dropped DLL 5 IoCs

pid	Process
1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe
2016	is-41K7G.tmp
2016	is-41K7G.tmp
2016	is-41K7G.tmp
2016	is-41K7G.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ccSearcher\unins000.dat	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-KNKKK.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-MLPM2.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-6NCGU.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-BVBS5.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-EQ11F.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-5UKFQ.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-A071Q.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-FF2EU.tmp	is-41K7G.tmp
File created	C:\Program Files (x86)\ccSearcher\is-T8HQG.tmp	is-41K7G.tmp
File opened for modification	C:\Program Files (x86)\ccSearcher\unins000.dat	is-41K7G.tmp
File opened for modification	C:\Program Files (x86)\ccSearcher\ccsearcher.exe	is-41K7G.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1052	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 1212 wrote to memory of 2016	1212	e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe	28
PID 2016 wrote to memory of 1696	2016	is-41K7G.tmp	29
PID 2016 wrote to memory of 1696	2016	is-41K7G.tmp	29
PID 2016 wrote to memory of 1696	2016	is-41K7G.tmp	29
PID 2016 wrote to memory of 1696	2016	is-41K7G.tmp	29
PID 1696 wrote to memory of 1120	1696	ccsearcher.exe	32
PID 1696 wrote to memory of 1120	1696	ccsearcher.exe	32
PID 1696 wrote to memory of 1120	1696	ccsearcher.exe	32
PID 1696 wrote to memory of 1120	1696	ccsearcher.exe	32
PID 1120 wrote to memory of 1052	1120	cmd.exe	34
PID 1120 wrote to memory of 1052	1120	cmd.exe	34
PID 1120 wrote to memory of 1052	1120	cmd.exe	34
PID 1120 wrote to memory of 1052	1120	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe
"C:\Users\Admin\AppData\Local\Temp\e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\is-QS314.tmp\is-41K7G.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QS314.tmp\is-41K7G.tmp" /SL4 $60120 "C:\Users\Admin\AppData\Local\Temp\e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d.exe" 2324125 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Program Files (x86)\ccSearcher\ccsearcher.exe
    "C:\Program Files (x86)\ccSearcher\ccsearcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "ccsearcher.exe" /f & erase "C:\Program Files (x86)\ccSearcher\ccsearcher.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ccsearcher.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ccSearcher\ccsearcher.exe

Filesize
4.3MB

MD5
0545f55b7f65691c450919ee98e9c6b8

SHA1
c8f38ecdc90a4ce2b18f19f15a4e379a721d9a0f

SHA256
8338b9f05765b0ddb973eaf84159868e6a1389a0172ea70fd32e30f39cf2b3e8

SHA512
c9228888265f3bbdf846c5fb3b210ad85a494040bd28cd46f225b728d77b77c0a4a6428dfc1d724486ba955a75de1eabae4b6df64552a26318a6de0ab21b92a6

Download Submit
C:\Program Files (x86)\ccSearcher\ccsearcher.exe

Filesize
4.3MB

MD5
0545f55b7f65691c450919ee98e9c6b8

SHA1
c8f38ecdc90a4ce2b18f19f15a4e379a721d9a0f

SHA256
8338b9f05765b0ddb973eaf84159868e6a1389a0172ea70fd32e30f39cf2b3e8

SHA512
c9228888265f3bbdf846c5fb3b210ad85a494040bd28cd46f225b728d77b77c0a4a6428dfc1d724486ba955a75de1eabae4b6df64552a26318a6de0ab21b92a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QS314.tmp\is-41K7G.tmp

Filesize
658KB

MD5
fec7bff4c36a4303ade51e3ed704e708

SHA1
487c0f4af67e56a661b9f1d99515ff080db968c3

SHA256
0414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f

SHA512
1267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QS314.tmp\is-41K7G.tmp

Filesize
658KB

MD5
fec7bff4c36a4303ade51e3ed704e708

SHA1
487c0f4af67e56a661b9f1d99515ff080db968c3

SHA256
0414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f

SHA512
1267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0

Download Submit
\Program Files (x86)\ccSearcher\ccsearcher.exe

Filesize
4.3MB

MD5
0545f55b7f65691c450919ee98e9c6b8

SHA1
c8f38ecdc90a4ce2b18f19f15a4e379a721d9a0f

SHA256
8338b9f05765b0ddb973eaf84159868e6a1389a0172ea70fd32e30f39cf2b3e8

SHA512
c9228888265f3bbdf846c5fb3b210ad85a494040bd28cd46f225b728d77b77c0a4a6428dfc1d724486ba955a75de1eabae4b6df64552a26318a6de0ab21b92a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VJS6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VJS6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VJS6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QS314.tmp\is-41K7G.tmp

Filesize
658KB

MD5
fec7bff4c36a4303ade51e3ed704e708

SHA1
487c0f4af67e56a661b9f1d99515ff080db968c3

SHA256
0414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f

SHA512
1267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0

Download Submit
memory/1212-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1212-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1212-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1212-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1696-73-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1696-72-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1696-71-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1696-76-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/2016-70-0x0000000003230000-0x000000000447C000-memory.dmp

Filesize
18.3MB

Download