nymaim | e2a1eb1a796a01f682a93bbee4af254d89d14382099c56a8c0a5595d0b6e8600

General

Target

file.exe
Size

382KB
MD5

52e69b7edf5b0262a1a4758ac1e6b5be
SHA1

d528281b9bf09f76b06796a4152c458e0df3759e
SHA256

e2a1eb1a796a01f682a93bbee4af254d89d14382099c56a8c0a5595d0b6e8600
SHA512

584e5778766567a05379c382115bd3050893c1224cfeb0aac1c151b4de009e1c2fb806d9d9a5c4664768054bbd2ff2621353a0b0732512b8491be3657a97e91c
SSDEEP

6144:NvhFH9U6Qi9A73lTTR0toQxRGw3IATtO6280bfJigavwVfIx:NpIiAmtoMn3I4tO60wRx

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1536	Cleaner.exe

Deletes itself 1 IoCs

pid	Process
1012	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
304	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	1536	WerFault.exe	31

Kills process with taskkill 1 IoCs

evasion

pid	Process
440	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1204	file.exe
1204	file.exe
1204	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	Cleaner.exe
Token: SeDebugPrivilege	440	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 304	1204	file.exe	29
PID 1204 wrote to memory of 304	1204	file.exe	29
PID 1204 wrote to memory of 304	1204	file.exe	29
PID 1204 wrote to memory of 304	1204	file.exe	29
PID 304 wrote to memory of 1536	304	cmd.exe	31
PID 304 wrote to memory of 1536	304	cmd.exe	31
PID 304 wrote to memory of 1536	304	cmd.exe	31
PID 304 wrote to memory of 1536	304	cmd.exe	31
PID 1536 wrote to memory of 1476	1536	Cleaner.exe	33
PID 1536 wrote to memory of 1476	1536	Cleaner.exe	33
PID 1536 wrote to memory of 1476	1536	Cleaner.exe	33
PID 1204 wrote to memory of 1012	1204	file.exe	34
PID 1204 wrote to memory of 1012	1204	file.exe	34
PID 1204 wrote to memory of 1012	1204	file.exe	34
PID 1204 wrote to memory of 1012	1204	file.exe	34
PID 1012 wrote to memory of 440	1012	cmd.exe	36
PID 1012 wrote to memory of 440	1012	cmd.exe	36
PID 1012 wrote to memory of 440	1012	cmd.exe	36
PID 1012 wrote to memory of 440	1012	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1536 -s 1156
      4⤵
      Program crash
      PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "file.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe

Filesize
4.2MB

MD5
e89589df13ac2783f322449f63547468

SHA1
bd938f596e09e2ed04c3bc0f0ac68de71e04bcf6

SHA256
663a353b45ed8f3acd4abc429f519635c1cf1294e3b9af98ffe6b1d4937c0e8f

SHA512
9e0126975b32d022b6fe89d4681981e57ef1a3c6375ee2df131ce3527a3ad91c795d75302b78c8fc59651e9e20cebfd177b3278a87f45f8174f9e4ec09fc9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe

Filesize
4.2MB

MD5
e89589df13ac2783f322449f63547468

SHA1
bd938f596e09e2ed04c3bc0f0ac68de71e04bcf6

SHA256
663a353b45ed8f3acd4abc429f519635c1cf1294e3b9af98ffe6b1d4937c0e8f

SHA512
9e0126975b32d022b6fe89d4681981e57ef1a3c6375ee2df131ce3527a3ad91c795d75302b78c8fc59651e9e20cebfd177b3278a87f45f8174f9e4ec09fc9cc6

Download Submit
\Users\Admin\AppData\Local\Temp\tpAEorUzR8\Cleaner.exe

Filesize
4.2MB

MD5
e89589df13ac2783f322449f63547468

SHA1
bd938f596e09e2ed04c3bc0f0ac68de71e04bcf6

SHA256
663a353b45ed8f3acd4abc429f519635c1cf1294e3b9af98ffe6b1d4937c0e8f

SHA512
9e0126975b32d022b6fe89d4681981e57ef1a3c6375ee2df131ce3527a3ad91c795d75302b78c8fc59651e9e20cebfd177b3278a87f45f8174f9e4ec09fc9cc6

Download Submit
memory/304-59-0x0000000000000000-mapping.dmp

Download
memory/440-78-0x0000000000000000-mapping.dmp

Download
memory/1012-75-0x0000000000000000-mapping.dmp

Download
memory/1204-69-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1204-71-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1204-58-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1204-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1204-77-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1204-56-0x0000000000608000-0x000000000062F000-memory.dmp

Filesize
156KB

Download
memory/1204-76-0x0000000000608000-0x000000000062F000-memory.dmp

Filesize
156KB

Download
memory/1204-68-0x0000000000608000-0x000000000062F000-memory.dmp

Filesize
156KB

Download
memory/1204-54-0x0000000000608000-0x000000000062F000-memory.dmp

Filesize
156KB

Download
memory/1204-57-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1476-70-0x0000000000000000-mapping.dmp

Download
memory/1536-61-0x0000000000000000-mapping.dmp

Download
memory/1536-67-0x0000000000790000-0x00000000007D2000-memory.dmp

Filesize
264KB

Download
memory/1536-65-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1536-64-0x0000000000030000-0x00000000001B2000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing