nymaim | 9d10e07c176205bf5f93eb73dff3c55380729cd1f9c96f529021b9ea1a0a176f

Analysis

max time kernel
102s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2022, 17:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

415KB
MD5

db1bbc9f436acca9319999f8a11000ba
SHA1

618a457d6a6b7224b67e257ad3b5892475074344
SHA256

9d10e07c176205bf5f93eb73dff3c55380729cd1f9c96f529021b9ea1a0a176f
SHA512

ca06cec40edf23a24e96b6de7a270072d9a2e28e1f1183484d93c1ddf8c45cd35a96fe5b3e0ff76a986dce84d77302a5d7ca9fba87b0b084c6dce7468b1c6450
SSDEEP

6144:IWIQGkkeHDxtOoPSyIFuYybRZtcVSDGWUFjkn0GknigabwVfs:IWIQ+eHDxtzPSyIFuYybREVSBUZXXiB

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4124	Cleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
1944	4636	WerFault.exe	82
4172	4636	WerFault.exe	82
4076	4636	WerFault.exe	82
4236	4636	WerFault.exe	82
3440	4636	WerFault.exe	82
224	4636	WerFault.exe	82
1180	4636	WerFault.exe	82
4660	4636	WerFault.exe	82
3828	4636	WerFault.exe	82
5108	4636	WerFault.exe	82
1984	4636	WerFault.exe	82
2068	4636	WerFault.exe	82

Kills process with taskkill 1 IoCs

evasion

pid	Process
4284	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4636	file.exe
4636	file.exe
4636	file.exe
4636	file.exe
4636	file.exe
4636	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4636	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	Cleaner.exe
Token: SeDebugPrivilege	4284	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4104	4636	file.exe	107
PID 4636 wrote to memory of 4104	4636	file.exe	107
PID 4636 wrote to memory of 4104	4636	file.exe	107
PID 4104 wrote to memory of 4124	4104	cmd.exe	109
PID 4104 wrote to memory of 4124	4104	cmd.exe	109
PID 4636 wrote to memory of 4432	4636	file.exe	118
PID 4636 wrote to memory of 4432	4636	file.exe	118
PID 4636 wrote to memory of 4432	4636	file.exe	118
PID 4432 wrote to memory of 4284	4432	cmd.exe	122
PID 4432 wrote to memory of 4284	4432	cmd.exe	122
PID 4432 wrote to memory of 4284	4432	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 452
  2⤵
  - Program crash
  PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 764
  2⤵
  - Program crash
  PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 784
  2⤵
  - Program crash
  PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 784
  2⤵
  - Program crash
  PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 836
  2⤵
  - Program crash
  PID:3440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 928
  2⤵
  - Program crash
  PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1020
  2⤵
  - Program crash
  PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1144
  2⤵
  - Program crash
  PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1392
  2⤵
  - Program crash
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Cleaner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1428
  2⤵
  - Program crash
  PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1776
  2⤵
  - Program crash
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "file.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 496
  2⤵
  - Program crash
  PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4636 -ip 4636
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4636 -ip 4636
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4636 -ip 4636
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4636 -ip 4636
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4636 -ip 4636
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4636 -ip 4636
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4636 -ip 4636
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4636 -ip 4636
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4636 -ip 4636
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4636 -ip 4636
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4636 -ip 4636
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4636 -ip 4636
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Cleaner.exe

Filesize
4.2MB

MD5
e89589df13ac2783f322449f63547468

SHA1
bd938f596e09e2ed04c3bc0f0ac68de71e04bcf6

SHA256
663a353b45ed8f3acd4abc429f519635c1cf1294e3b9af98ffe6b1d4937c0e8f

SHA512
9e0126975b32d022b6fe89d4681981e57ef1a3c6375ee2df131ce3527a3ad91c795d75302b78c8fc59651e9e20cebfd177b3278a87f45f8174f9e4ec09fc9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\biXrB367kR9wYWwOFzJooG2WW\Cleaner.exe

Filesize
4.2MB

MD5
e89589df13ac2783f322449f63547468

SHA1
bd938f596e09e2ed04c3bc0f0ac68de71e04bcf6

SHA256
663a353b45ed8f3acd4abc429f519635c1cf1294e3b9af98ffe6b1d4937c0e8f

SHA512
9e0126975b32d022b6fe89d4681981e57ef1a3c6375ee2df131ce3527a3ad91c795d75302b78c8fc59651e9e20cebfd177b3278a87f45f8174f9e4ec09fc9cc6

Download Submit
memory/4124-142-0x00007FFAA23E0000-0x00007FFAA2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-139-0x0000025B20380000-0x0000025B20502000-memory.dmp

Filesize
1.5MB

Download
memory/4124-145-0x00007FFAA23E0000-0x00007FFAA2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-141-0x0000025B22080000-0x0000025B220C2000-memory.dmp

Filesize
264KB

Download
memory/4636-143-0x000000000072F000-0x0000000000756000-memory.dmp

Filesize
156KB

Download
memory/4636-144-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4636-134-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4636-146-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4636-133-0x00000000021E0000-0x000000000221F000-memory.dmp

Filesize
252KB

Download
memory/4636-132-0x000000000072F000-0x0000000000756000-memory.dmp

Filesize
156KB

Download
memory/4636-152-0x000000000072F000-0x0000000000756000-memory.dmp

Filesize
156KB

Download
memory/4636-153-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download