nymaim | 5d59918ce4a82077f71fa248bf45aea8b1937adbbafd5cf0d1c518799007acfb

General

Target

file.exe
Size

220KB
MD5

5ad8f4a88035e5e94787e34004b0e58c
SHA1

998908ccbf798430c268c4f4ff2fd5c8db07c142
SHA256

5d59918ce4a82077f71fa248bf45aea8b1937adbbafd5cf0d1c518799007acfb
SHA512

5b6945ac9c6f961fa289fb31b198a5a651c72b139f76b708fdb98c1eedc0df9eb5368f87f573254d0a1f7051f333dd6143a5e0672cf1d1c5a82dd416fb1e6a24
SSDEEP

3072:9BbhegORVLV/xlGqg56+Ua3WWakts8DH/RMt03IXCmYvRGe31kntVP+paM5utMHl:9ehJl0GaNDhetEyCHvRGeFwPBIuS

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Cleaner.exe

pid process

708 Cleaner.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2004 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
708	Cleaner.exe

pid	process
2004	cmd.exe

pid	process
1716	cmd.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1316 708 WerFault.exe Cleaner.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1556 taskkill.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

file.exe

pid process

1552 file.exe
1552 file.exe
1552 file.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Cleaner.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 708 Cleaner.exe
Token: SeDebugPrivilege 1556 taskkill.exe

pid	pid_target	process	target process
1316	708	WerFault.exe	Cleaner.exe

pid	process
1556	taskkill.exe

pid	process
1552	file.exe
1552	file.exe
1552	file.exe

description	pid	process
Token: SeDebugPrivilege	708	Cleaner.exe
Token: SeDebugPrivilege	1556	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

file.execmd.exeCleaner.execmd.exe

description	pid	process	target process
PID 1552 wrote to memory of 1716	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 1716	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 1716	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 1716	1552	file.exe	cmd.exe
PID 1716 wrote to memory of 708	1716	cmd.exe	Cleaner.exe
PID 1716 wrote to memory of 708	1716	cmd.exe	Cleaner.exe
PID 1716 wrote to memory of 708	1716	cmd.exe	Cleaner.exe
PID 1716 wrote to memory of 708	1716	cmd.exe	Cleaner.exe
PID 708 wrote to memory of 1316	708	Cleaner.exe	WerFault.exe
PID 708 wrote to memory of 1316	708	Cleaner.exe	WerFault.exe
PID 708 wrote to memory of 1316	708	Cleaner.exe	WerFault.exe
PID 1552 wrote to memory of 2004	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 2004	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 2004	1552	file.exe	cmd.exe
PID 1552 wrote to memory of 2004	1552	file.exe	cmd.exe
PID 2004 wrote to memory of 1556	2004	cmd.exe	taskkill.exe
PID 2004 wrote to memory of 1556	2004	cmd.exe	taskkill.exe
PID 2004 wrote to memory of 1556	2004	cmd.exe	taskkill.exe
PID 2004 wrote to memory of 1556	2004	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 708 -s 1148
4⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "file.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Bunifu_UI_v1.5.3.dll
Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe
Filesize
3.8MB

MD5
04514bd4962f7d60679434e0ebe49184

SHA1
1493a5447eb8156a7d7aecff60ee8bfba2209526

SHA256
c394b068aa87264419f60838a8812b750e67cf93f2494c62b9078c3708072568

SHA512
a71c7ed5dfdda22f095dc99b16e8342a42e3361be16e0241dbf8983dd0d5f6e90eb0299aac1815cf78ad3a9f15fa89b42b720b7f818ee5f502300f102ef4c93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe
Filesize
3.8MB

MD5
04514bd4962f7d60679434e0ebe49184

SHA1
1493a5447eb8156a7d7aecff60ee8bfba2209526

SHA256
c394b068aa87264419f60838a8812b750e67cf93f2494c62b9078c3708072568

SHA512
a71c7ed5dfdda22f095dc99b16e8342a42e3361be16e0241dbf8983dd0d5f6e90eb0299aac1815cf78ad3a9f15fa89b42b720b7f818ee5f502300f102ef4c93e

Download Submit
\Users\Admin\AppData\Local\Temp\cmHO5jLZY\Cleaner.exe
Filesize
3.8MB

MD5
04514bd4962f7d60679434e0ebe49184

SHA1
1493a5447eb8156a7d7aecff60ee8bfba2209526

SHA256
c394b068aa87264419f60838a8812b750e67cf93f2494c62b9078c3708072568

SHA512
a71c7ed5dfdda22f095dc99b16e8342a42e3361be16e0241dbf8983dd0d5f6e90eb0299aac1815cf78ad3a9f15fa89b42b720b7f818ee5f502300f102ef4c93e

Download Submit
memory/708-64-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/708-63-0x00000000012E0000-0x0000000001436000-memory.dmp

Filesize
1.3MB

Download
memory/708-60-0x0000000000000000-mapping.dmp

Download
memory/708-66-0x0000000001200000-0x0000000001242000-memory.dmp

Filesize
264KB

Download
memory/1316-69-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x000000000073D000-0x0000000000764000-memory.dmp

Filesize
156KB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1552-67-0x000000000073D000-0x0000000000764000-memory.dmp

Filesize
156KB

Download
memory/1552-68-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1552-57-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1552-70-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1552-75-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1556-76-0x0000000000000000-mapping.dmp

Download
memory/1716-58-0x0000000000000000-mapping.dmp

Download
memory/2004-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing