nymaim | 6df352dd4918bb63a41c5ed87c84f4353cb0bb85c4ffcbcc4c0efbbf5a8c855a

General

Target

file.exe
Size

2.3MB
MD5

8908cfb327b12b8fd699031277c5f2b0
SHA1

0ecccd35b799fce36afeed9ac4c15bcf03b49a18
SHA256

6df352dd4918bb63a41c5ed87c84f4353cb0bb85c4ffcbcc4c0efbbf5a8c855a
SHA512

7fea2bb9c4e5ad26c52d17799d3d15e55952c3c3c05973b098fac0f766dc6e83ac3b2644904686bfca03ab813ffb262eb3c6f55e9e62f522df1aa73d446195e6
SSDEEP

49152:Z2NMLnl+rMdnASJWevDPNDOtMGfCPBxfb7nBWsQnA5hq:MNyLnAyWevD1DOuP7fbFQADq

Score

10^/10

nymaim discovery trojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 3 IoCs

pid	Process
2508	is-VKMKD.tmp
3028	fhsearcher65.exe
1384	BCUAVaXQ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fhsearcher65.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	is-VKMKD.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\fhSearcher\is-9HBER.tmp	is-VKMKD.tmp
File opened for modification	C:\Program Files (x86)\fhSearcher\unins000.dat	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-81I0D.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-UT1RU.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-D5KH5.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-8NIPE.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-MOII3.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\unins000.dat	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-3T3AN.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-SSR9I.tmp	is-VKMKD.tmp
File created	C:\Program Files (x86)\fhSearcher\is-QQMQ6.tmp	is-VKMKD.tmp
File opened for modification	C:\Program Files (x86)\fhSearcher\fhsearcher65.exe	is-VKMKD.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3380	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3028	fhsearcher65.exe
3028	fhsearcher65.exe
3028	fhsearcher65.exe
3028	fhsearcher65.exe
3028	fhsearcher65.exe
3028	fhsearcher65.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2508	1780	file.exe	83
PID 1780 wrote to memory of 2508	1780	file.exe	83
PID 1780 wrote to memory of 2508	1780	file.exe	83
PID 2508 wrote to memory of 3028	2508	is-VKMKD.tmp	84
PID 2508 wrote to memory of 3028	2508	is-VKMKD.tmp	84
PID 2508 wrote to memory of 3028	2508	is-VKMKD.tmp	84
PID 3028 wrote to memory of 1384	3028	fhsearcher65.exe	85
PID 3028 wrote to memory of 1384	3028	fhsearcher65.exe	85
PID 3028 wrote to memory of 1384	3028	fhsearcher65.exe	85
PID 3028 wrote to memory of 4852	3028	fhsearcher65.exe	93
PID 3028 wrote to memory of 4852	3028	fhsearcher65.exe	93
PID 3028 wrote to memory of 4852	3028	fhsearcher65.exe	93
PID 4852 wrote to memory of 3380	4852	cmd.exe	95
PID 4852 wrote to memory of 3380	4852	cmd.exe	95
PID 4852 wrote to memory of 3380	4852	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\is-FR00D.tmp\is-VKMKD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FR00D.tmp\is-VKMKD.tmp" /SL4 $901C2 "C:\Users\Admin\AppData\Local\Temp\file.exe" 2176340 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files (x86)\fhSearcher\fhsearcher65.exe
    "C:\Program Files (x86)\fhSearcher\fhsearcher65.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\BCUAVaXQ.exe
      4⤵
      Executes dropped EXE
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "fhsearcher65.exe" /f & erase "C:\Program Files (x86)\fhSearcher\fhsearcher65.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "fhsearcher65.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\fhSearcher\fhsearcher65.exe

Filesize
3.4MB

MD5
1db6b6e6ff6b3af87c42592a3cf6a625

SHA1
935bd3d92956a10ed92de273cd47b17bb7b13972

SHA256
8a880b77873d8be622cea5c080217504d7ab944994ed0675eab0f22cf8d50f5c

SHA512
e5be303706385e39bd6428f1150c9b31046bf1a5dd880a38f2cb8b1b38fd84ef1facc8a29aeeb15c08b2df5f3cbf10da5843be0de9d0a3f5fd2d53311cd3fff4

Download Submit
C:\Program Files (x86)\fhSearcher\fhsearcher65.exe

Filesize
3.4MB

MD5
1db6b6e6ff6b3af87c42592a3cf6a625

SHA1
935bd3d92956a10ed92de273cd47b17bb7b13972

SHA256
8a880b77873d8be622cea5c080217504d7ab944994ed0675eab0f22cf8d50f5c

SHA512
e5be303706385e39bd6428f1150c9b31046bf1a5dd880a38f2cb8b1b38fd84ef1facc8a29aeeb15c08b2df5f3cbf10da5843be0de9d0a3f5fd2d53311cd3fff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I956.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FR00D.tmp\is-VKMKD.tmp

Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FR00D.tmp\is-VKMKD.tmp

Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\BCUAVaXQ.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\BCUAVaXQ.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1780-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1780-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1780-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3028-143-0x0000000000400000-0x0000000001570000-memory.dmp

Filesize
17.4MB

Download
memory/3028-144-0x0000000000400000-0x0000000001570000-memory.dmp

Filesize
17.4MB

Download
memory/3028-142-0x0000000000400000-0x0000000001570000-memory.dmp

Filesize
17.4MB

Download
memory/3028-148-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/3028-152-0x0000000000400000-0x0000000001570000-memory.dmp

Filesize
17.4MB

Download
memory/3028-155-0x0000000000400000-0x0000000001570000-memory.dmp

Filesize
17.4MB

Download

Analysis

Sharing