nymaim | a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe
Size

409KB
MD5

a46e5a3d22bda59d4cb8beb4e965def4
SHA1

963a4a51bb93084feb1c6682cad0430a5641448b
SHA256

a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b
SHA512

4c5270d3465cebf6abcd82bcb25200bbb56e663c702b8f9ea687b3ea0458fc1f5642b69c219d4445a5a9daa0eeb7ec1a5fc4e1025748151cc365f316a7c9080b
SSDEEP

6144:gnXGTd6V4Sg6UqrgPQINRxIvGY1xiQzCUb3gK97ITsq:gn2Z6V448P7RaX1vCUB97

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4548	4760	WerFault.exe	65
1352	4760	WerFault.exe	65
4564	4760	WerFault.exe	65
4472	4760	WerFault.exe	65
3176	4760	WerFault.exe	65
2052	4760	WerFault.exe	65
3216	4760	WerFault.exe	65
3800	4760	WerFault.exe	65

Kills process with taskkill 1 IoCs

evasion

pid	Process
4196	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 5052	4760	a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe	75
PID 4760 wrote to memory of 5052	4760	a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe	75
PID 4760 wrote to memory of 5052	4760	a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe	75
PID 5052 wrote to memory of 4196	5052	cmd.exe	77
PID 5052 wrote to memory of 4196	5052	cmd.exe	77
PID 5052 wrote to memory of 4196	5052	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe
"C:\Users\Admin\AppData\Local\Temp\a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 524
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 768
  2⤵
  - Program crash
  PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 828
  2⤵
  - Program crash
  PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 940
  2⤵
  - Program crash
  PID:4472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 984
  2⤵
  - Program crash
  PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1108
  2⤵
  - Program crash
  PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1148
  2⤵
  - Program crash
  PID:3216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1312
  2⤵
  - Program crash
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "a94272e0df3abd7cec6d1c3762b7708089a63165ff2bfe3c7cb60385f0bf4b4b.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4196-184-0x0000000000000000-mapping.dmp

Download
memory/4196-185-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-186-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-191-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-190-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-189-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-188-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-187-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-152-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-157-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-128-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-129-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-130-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-131-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-132-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-133-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-134-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-135-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-136-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-137-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-138-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-139-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-140-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-141-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-142-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-143-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-145-0x0000000002ED0000-0x0000000002F10000-memory.dmp

Filesize
256KB

Download
memory/4760-146-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-144-0x0000000002C60000-0x0000000002D0E000-memory.dmp

Filesize
696KB

Download
memory/4760-147-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-148-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-149-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-150-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-151-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-125-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-153-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-154-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-155-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-156-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-126-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-158-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download
memory/4760-159-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-160-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-161-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-162-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-163-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-164-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-165-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-166-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-167-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-168-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-169-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-170-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-172-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-173-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-174-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-175-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-178-0x0000000002ED0000-0x0000000002F10000-memory.dmp

Filesize
256KB

Download
memory/4760-182-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download
memory/4760-120-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-121-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-122-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-124-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-123-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5052-179-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5052-177-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5052-176-0x0000000000000000-mapping.dmp

Download
memory/5052-181-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5052-180-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5052-183-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download