Overview

overview

10

Static

static

014445a124...4d.exe

windows7-x64

10

014445a124...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe

  • Size

    305KB

  • MD5

    a39bd865d6df97f9f541a76ff327ef72

  • SHA1

    e9d5703070f46de97465e91453da6bb9cdd30862

  • SHA256

    014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d

  • SHA512

    d79e1c8b7d1534fa0080511e8748590831ac016fa908c05e5cd97837ef4c5ff981f83445a36acddf787fda554e6586f00ca6c37a9f651f5421d03322b9c0bd12

  • SSDEEP

    6144:7STmTNLwS0eZbNFsFhZSf3H2wNffWMGsRXcTG1Y4:7STCNMpezgEH2wN3JGrc

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 10 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe
    "C:\Users\Admin\AppData\Local\Temp\014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 456
      2⤵
      • Program crash
      PID:4872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 772
      2⤵
      • Program crash
      PID:1132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 780
      2⤵
      • Program crash
      PID:2500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 824
      2⤵
      • Program crash
      PID:4212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 780
      2⤵
      • Program crash
      PID:912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 928
      2⤵
      • Program crash
      PID:116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1004
      2⤵
      • Program crash
      PID:4328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1032
      2⤵
      • Program crash
      PID:2740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1384
      2⤵
      • Program crash
      PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1408
      2⤵
      • Program crash
      PID:3240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3144 -ip 3144
    1⤵
      PID:4880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3144 -ip 3144
      1⤵
        PID:4612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3144 -ip 3144
        1⤵
          PID:836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3144 -ip 3144
          1⤵
            PID:1392
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3144 -ip 3144
            1⤵
              PID:1776
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3144 -ip 3144
              1⤵
                PID:396
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3144 -ip 3144
                1⤵
                  PID:4256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3144 -ip 3144
                  1⤵
                    PID:3460
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3144 -ip 3144
                    1⤵
                      PID:4480
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3144 -ip 3144
                      1⤵
                        PID:3532

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/3144-132-0x0000000000768000-0x000000000078F000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/3144-133-0x0000000000700000-0x0000000000740000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/3144-134-0x0000000000400000-0x00000000005AA000-memory.dmp

                        Filesize

                        1.7MB

                        Download

                      • memory/3144-135-0x0000000000768000-0x000000000078F000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/3144-136-0x0000000000400000-0x00000000005AA000-memory.dmp

                        Filesize

                        1.7MB

                        Download

                      • memory/3144-139-0x0000000000768000-0x000000000078F000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/3144-140-0x0000000000400000-0x00000000005AA000-memory.dmp

                        Filesize

                        1.7MB

                        Download