nymaim | 8319d37661855ed727fe99fb78a988300b4938e60f4003239ddadf910f4d0da3

General

Target

file.exe
Size

359KB
MD5

b850cae79bd87b5fa5f3762fea7ac52b
SHA1

4718c0c9f033471e21ea04e43cd0759761e21224
SHA256

8319d37661855ed727fe99fb78a988300b4938e60f4003239ddadf910f4d0da3
SHA512

ab27670ae2ac1c7bb72fef1ad4d776b41714c10661478839d878d19f8ad35556769c30d1d82f92f7bcc4e52a6fc8c912acf5ea0f12a3486efe71573194311de4
SSDEEP

6144:lRTH+eLVVvJyJ5ysGNQm1sQw+z+xaYW3z5LYuzbgwuQR2QrZwVfUPk:vTXB/yJ5U1sl+2aYa5cunn2QTc

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1784	Cleaner.exe

Deletes itself 1 IoCs

pid	Process
1256	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	1784	WerFault.exe	32

Kills process with taskkill 1 IoCs

evasion

pid	Process
1568	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1996	file.exe
1996	file.exe
1996	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	Cleaner.exe
Token: SeDebugPrivilege	1568	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 824	1996	file.exe	30
PID 1996 wrote to memory of 824	1996	file.exe	30
PID 1996 wrote to memory of 824	1996	file.exe	30
PID 1996 wrote to memory of 824	1996	file.exe	30
PID 824 wrote to memory of 1784	824	cmd.exe	32
PID 824 wrote to memory of 1784	824	cmd.exe	32
PID 824 wrote to memory of 1784	824	cmd.exe	32
PID 824 wrote to memory of 1784	824	cmd.exe	32
PID 1784 wrote to memory of 1960	1784	Cleaner.exe	34
PID 1784 wrote to memory of 1960	1784	Cleaner.exe	34
PID 1784 wrote to memory of 1960	1784	Cleaner.exe	34
PID 1996 wrote to memory of 1256	1996	file.exe	35
PID 1996 wrote to memory of 1256	1996	file.exe	35
PID 1996 wrote to memory of 1256	1996	file.exe	35
PID 1996 wrote to memory of 1256	1996	file.exe	35
PID 1256 wrote to memory of 1568	1256	cmd.exe	37
PID 1256 wrote to memory of 1568	1256	cmd.exe	37
PID 1256 wrote to memory of 1568	1256	cmd.exe	37
PID 1256 wrote to memory of 1568	1256	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1784 -s 1148
      4⤵
      Program crash
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "file.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

Filesize
2.4MB

MD5
79754768767380ef36ef446c6a1709e4

SHA1
2af83a6e20d7efc3119d312534b3f3968d17776e

SHA256
cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

SHA512
6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

Download Submit
C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

Filesize
2.4MB

MD5
79754768767380ef36ef446c6a1709e4

SHA1
2af83a6e20d7efc3119d312534b3f3968d17776e

SHA256
cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

SHA512
6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

Download Submit
\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

Filesize
2.4MB

MD5
79754768767380ef36ef446c6a1709e4

SHA1
2af83a6e20d7efc3119d312534b3f3968d17776e

SHA256
cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

SHA512
6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

Download Submit
memory/1784-65-0x0000000000C50000-0x0000000000DC2000-memory.dmp

Filesize
1.4MB

Download
memory/1784-68-0x0000000000440000-0x0000000000482000-memory.dmp

Filesize
264KB

Download
memory/1784-66-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1996-59-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1996-58-0x000000000055C000-0x0000000000582000-memory.dmp

Filesize
152KB

Download
memory/1996-57-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1996-70-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1996-55-0x000000000055C000-0x0000000000582000-memory.dmp

Filesize
152KB

Download
memory/1996-75-0x000000000055C000-0x0000000000582000-memory.dmp

Filesize
152KB

Download
memory/1996-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1996-56-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing