nymaim | 15271b6b7836bc5c845d9facc43f97a4503f8f65948ff7d5c0e8aca93d753ac8

Analysis

max time kernel
103s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

233KB
MD5

5958b7aa607850c6adadedb29dbb9aa9
SHA1

9c55f1242cbe3f63c98d32a7c8c3f7a94693dbe7
SHA256

15271b6b7836bc5c845d9facc43f97a4503f8f65948ff7d5c0e8aca93d753ac8
SHA512

be1c2578771b2ac6043261178a851278754c3bab02a30ae55178cdc9f75c1ab7e8251880ded629fcc246a9cd90c2410d6cbfe16980b8eaa78ac1d0a9fe7a9ab6
SSDEEP

3072:skOI4o++PFyMzlLi174dus0sQ5AQK53gvQADoq0NIVN40tUd2beRi/725898O:TCUo74xIZDolNIDrtY2sij25898

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4668	Cleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4360	3340	WerFault.exe	80
4564	3340	WerFault.exe	80
2460	3340	WerFault.exe	80
4476	3340	WerFault.exe	80
1928	3340	WerFault.exe	80
3724	3340	WerFault.exe	80
4048	3340	WerFault.exe	80
2212	3340	WerFault.exe	80
912	3340	WerFault.exe	80
5064	3340	WerFault.exe	80
1980	3340	WerFault.exe	80
4504	3340	WerFault.exe	80

Kills process with taskkill 1 IoCs

evasion

pid	Process
3184	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3340	file.exe
3340	file.exe
3340	file.exe
3340	file.exe
3340	file.exe
3340	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	Cleaner.exe
Token: SeDebugPrivilege	3184	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3940	3340	file.exe	107
PID 3340 wrote to memory of 3940	3340	file.exe	107
PID 3340 wrote to memory of 3940	3340	file.exe	107
PID 3940 wrote to memory of 4668	3940	cmd.exe	109
PID 3940 wrote to memory of 4668	3940	cmd.exe	109
PID 3340 wrote to memory of 3464	3340	file.exe	117
PID 3340 wrote to memory of 3464	3340	file.exe	117
PID 3340 wrote to memory of 3464	3340	file.exe	117
PID 3464 wrote to memory of 3184	3464	cmd.exe	121
PID 3464 wrote to memory of 3184	3464	cmd.exe	121
PID 3464 wrote to memory of 3184	3464	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 452
  2⤵
  - Program crash
  PID:4360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 772
  2⤵
  - Program crash
  PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 804
  2⤵
  - Program crash
  PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 804
  2⤵
  - Program crash
  PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 760
  2⤵
  - Program crash
  PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 936
  2⤵
  - Program crash
  PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1020
  2⤵
  - Program crash
  PID:4048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1088
  2⤵
  - Program crash
  PID:2212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1352
  2⤵
  - Program crash
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Cleaner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1404
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1768
  2⤵
  - Program crash
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "file.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 460
  2⤵
  - Program crash
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3340 -ip 3340
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3340 -ip 3340
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3340 -ip 3340
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3340 -ip 3340
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3340 -ip 3340
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3340 -ip 3340
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3340 -ip 3340
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3340 -ip 3340
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3340 -ip 3340
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3340 -ip 3340
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3340 -ip 3340
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3340 -ip 3340
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Cleaner.exe

Filesize
2.4MB

MD5
79754768767380ef36ef446c6a1709e4

SHA1
2af83a6e20d7efc3119d312534b3f3968d17776e

SHA256
cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

SHA512
6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwf3GsNcCmPgIzF4OQdXb\Cleaner.exe

Filesize
2.4MB

MD5
79754768767380ef36ef446c6a1709e4

SHA1
2af83a6e20d7efc3119d312534b3f3968d17776e

SHA256
cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060

SHA512
6f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461

Download Submit
memory/3340-132-0x000000000087D000-0x00000000008A3000-memory.dmp

Filesize
152KB

Download
memory/3340-134-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3340-152-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3340-133-0x0000000002300000-0x000000000233F000-memory.dmp

Filesize
252KB

Download
memory/3340-146-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/3340-142-0x000000000087D000-0x00000000008A3000-memory.dmp

Filesize
152KB

Download
memory/3340-143-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4668-145-0x00007FFDB54F0000-0x00007FFDB5FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-144-0x00007FFDB54F0000-0x00007FFDB5FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-141-0x0000014F384F0000-0x0000014F38532000-memory.dmp

Filesize
264KB

Download
memory/4668-139-0x0000014F37FA0000-0x0000014F38112000-memory.dmp

Filesize
1.4MB

Download