Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2022 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    336KB

  • MD5

    dd0ca0a8da1c8fb72b1ad80dc78c3ed2

  • SHA1

    616f2bc9d06cbd7a1a1a88298c7eb71ec1d67a01

  • SHA256

    29819b55e60be88f80f634504f1981e9a6694aa8c8c9d190f6d7b539a292e7e1

  • SHA512

    96d7707adcbc1364e345e23420435bec9c83f1a50a886b5018e71e2758b305ba15692632747701558a24625719f7e8e1d9ce6ea8d4f469b1ff9a4767a905b012

  • SSDEEP

    6144:gk4KHPL+kIvbbucJ+pjzqyYf58JsUQ5xetReNfCTj:gk4KHPKHvnucJuBo0sv5xetiqTj

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "file.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1688-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1688-56-0x0000000000250000-0x0000000000290000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1688-55-0x0000000002DFA000-0x0000000002E20000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-57-0x0000000000400000-0x0000000002C41000-memory.dmp

    Filesize

    40.3MB

    Download

  • memory/1688-59-0x0000000002DFA000-0x0000000002E20000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-61-0x0000000000400000-0x0000000002C41000-memory.dmp

    Filesize

    40.3MB

    Download