Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2022, 19:32

General

  • Target

    file.exe

  • Size

    359KB

  • MD5

    b850cae79bd87b5fa5f3762fea7ac52b

  • SHA1

    4718c0c9f033471e21ea04e43cd0759761e21224

  • SHA256

    8319d37661855ed727fe99fb78a988300b4938e60f4003239ddadf910f4d0da3

  • SHA512

    ab27670ae2ac1c7bb72fef1ad4d776b41714c10661478839d878d19f8ad35556769c30d1d82f92f7bcc4e52a6fc8c912acf5ea0f12a3486efe71573194311de4

  • SSDEEP

    6144:lRTH+eLVVvJyJ5ysGNQm1sQw+z+xaYW3z5LYuzbgwuQR2QrZwVfUPk:vTXB/yJ5U1sl+2aYa5cunn2QTc

Score
10/10

Malware Config

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe
        "C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1784 -s 1148
          4⤵
          • Program crash
          PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "file.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Bunifu_UI_v1.5.3.dll

    Filesize

    236KB

    MD5

    2ecb51ab00c5f340380ecf849291dbcf

    SHA1

    1a4dffbce2a4ce65495ed79eab42a4da3b660931

    SHA256

    f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

    SHA512

    e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

  • C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

    Filesize

    2.4MB

    MD5

    79754768767380ef36ef446c6a1709e4

    SHA1

    2af83a6e20d7efc3119d312534b3f3968d17776e

    SHA256

    cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

    SHA512

    6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

  • C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

    Filesize

    2.4MB

    MD5

    79754768767380ef36ef446c6a1709e4

    SHA1

    2af83a6e20d7efc3119d312534b3f3968d17776e

    SHA256

    cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

    SHA512

    6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

  • \Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe

    Filesize

    2.4MB

    MD5

    79754768767380ef36ef446c6a1709e4

    SHA1

    2af83a6e20d7efc3119d312534b3f3968d17776e

    SHA256

    cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

    SHA512

    6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

  • memory/1784-65-0x0000000000C50000-0x0000000000DC2000-memory.dmp

    Filesize

    1.4MB

  • memory/1784-68-0x0000000000440000-0x0000000000482000-memory.dmp

    Filesize

    264KB

  • memory/1784-66-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

    Filesize

    8KB

  • memory/1996-59-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1996-58-0x000000000055C000-0x0000000000582000-memory.dmp

    Filesize

    152KB

  • memory/1996-57-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

    Filesize

    8KB

  • memory/1996-70-0x0000000010000000-0x000000001001B000-memory.dmp

    Filesize

    108KB

  • memory/1996-55-0x000000000055C000-0x0000000000582000-memory.dmp

    Filesize

    152KB

  • memory/1996-75-0x000000000055C000-0x0000000000582000-memory.dmp

    Filesize

    152KB

  • memory/1996-76-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1996-56-0x0000000000250000-0x000000000028F000-memory.dmp

    Filesize

    252KB