Analysis Overview
SHA256
ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92
Threat Level: Known bad
The file ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92 was found to be: Known bad.
Malicious Activity Summary
NyMaim
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 20:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 20:31
Reported
2022-11-20 20:34
Platform
win7-20221111-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
NyMaim
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\PGRhifOtumQ.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe
"C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe"
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\PGRhifOtumQ.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 107.182.129.235:80 | 107.182.129.235 | tcp |
| N/A | 171.22.30.106:80 | 171.22.30.106 | tcp |
Files
memory/1340-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp
memory/1340-55-0x0000000000400000-0x0000000001500000-memory.dmp
memory/1340-56-0x0000000000400000-0x0000000001500000-memory.dmp
memory/1340-57-0x0000000000400000-0x0000000001500000-memory.dmp
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\PGRhifOtumQ.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/1128-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\PGRhifOtumQ.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/1340-61-0x0000000010000000-0x000000001001B000-memory.dmp
memory/1340-65-0x0000000000400000-0x0000000001500000-memory.dmp
memory/1052-66-0x0000000000000000-mapping.dmp
memory/1592-67-0x0000000000000000-mapping.dmp
memory/1340-68-0x0000000000400000-0x0000000001500000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 20:31
Reported
2022-11-20 20:34
Platform
win10v2004-20220901-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
NyMaim
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\m513puIx.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe
"C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe"
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\m513puIx.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ed762eadb77c47c6c41a128a73044bc2f78eeae23692f3017ce69d77ae48ea92.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 107.182.129.235:80 | 107.182.129.235 | tcp |
| N/A | 171.22.30.106:80 | 171.22.30.106 | tcp |
| N/A | 13.89.179.9:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/3488-132-0x0000000000400000-0x0000000001500000-memory.dmp
memory/3488-133-0x0000000000400000-0x0000000001500000-memory.dmp
memory/3488-134-0x0000000000400000-0x0000000001500000-memory.dmp
memory/3504-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\m513puIx.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\m513puIx.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/3488-138-0x0000000010000000-0x000000001001B000-memory.dmp
memory/3488-142-0x0000000000400000-0x0000000001500000-memory.dmp
memory/824-143-0x0000000000000000-mapping.dmp
memory/3560-144-0x0000000000000000-mapping.dmp
memory/3488-145-0x0000000000400000-0x0000000001500000-memory.dmp