Overview

overview

10

Static

static

cbe5ad908e...19.exe

windows7-x64

10

cbe5ad908e...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 17:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe

  • Size

    300KB

  • MD5

    baf64e13d868293522c6014a07f5d8f7

  • SHA1

    548fdfb25fd58942eb2f9bd291408498ee441448

  • SHA256

    cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19

  • SHA512

    c4a859582ba7f077a951eedee292c4acdccfdb0287f0611ca85970fb6392d9502bca64d6bb6e21ba9c4a6524adcb94a7a803c000d837f0fd8bd1b949ef1ac095

  • SSDEEP

    6144:GdAowps+XLtSolGtyWxYOPyHByYxNfloQFOOwhFJOy3odai:GdKiuRS94WxYOPcyYJKOOYyFi

Score
10/10
nymaimtrojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 10 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe
    "C:\Users\Admin\AppData\Local\Temp\cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 440
      2⤵
      • Program crash
      PID:2428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 776
      2⤵
      • Program crash
      PID:1380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 796
      2⤵
      • Program crash
      PID:4772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 796
      2⤵
      • Program crash
      PID:4632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 484
      2⤵
      • Program crash
      PID:4520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 924
      2⤵
      • Program crash
      PID:2904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1000
      2⤵
      • Program crash
      PID:4292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1060
      2⤵
      • Program crash
      PID:3720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1348
      2⤵
      • Program crash
      PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "cbe5ad908eaff3c57dc24bd937c2268e380926ea39e69cd77d0ad7854aa73f19.exe" /f
        3⤵
        • Kills process with taskkill
        PID:4112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1292
      2⤵
      • Program crash
      PID:1956
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1512 -ip 1512
    1⤵
      PID:3160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1512 -ip 1512
      1⤵
        PID:3248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1512 -ip 1512
        1⤵
          PID:1156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1512 -ip 1512
          1⤵
            PID:4692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 1512
            1⤵
              PID:1304
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1512 -ip 1512
              1⤵
                PID:5044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1512 -ip 1512
                1⤵
                  PID:1116
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1512 -ip 1512
                  1⤵
                    PID:3696
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512
                    1⤵
                      PID:3528
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1512 -ip 1512
                      1⤵
                        PID:4920

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1512-132-0x00000000007FD000-0x0000000000824000-memory.dmp

                              Filesize

                              156KB

                              Download

                            • memory/1512-133-0x0000000000740000-0x0000000000780000-memory.dmp

                              Filesize

                              256KB

                              Download

                            • memory/1512-134-0x0000000000400000-0x00000000005AE000-memory.dmp

                              Filesize

                              1.7MB

                              Download

                            • memory/1512-135-0x00000000007FD000-0x0000000000824000-memory.dmp

                              Filesize

                              156KB

                              Download

                            • memory/1512-136-0x0000000000400000-0x00000000005AE000-memory.dmp

                              Filesize

                              1.7MB

                              Download