Analysis Overview
SHA256
dbb878934122226d515d724d7d70ee635b58af1463ff7ef7cee4c7d75ea030ab
Threat Level: Known bad
The file 16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653 was found to be: Known bad.
Malicious Activity Summary
NyMaim
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-30 18:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-30 18:30
Reported
2022-11-30 18:33
Platform
win7-20220812-en
Max time kernel
60s
Max time network
63s
Command Line
Signatures
NyMaim
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PrintFolders\is-O07L1.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\is-O5FTT.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\is-U4833.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\is-9OU3N.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\PrintFolders\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\is-4TS5F.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| File created | C:\Program Files (x86)\PrintFolders\is-IHFJH.tmp | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PrintFolders\PrintFolders.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe
"C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe"
C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp" /SL4 $60122 "C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe" 1871357 51712
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "PrintFolders.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 107.182.129.235:80 | 107.182.129.235 | tcp |
| N/A | 171.22.30.106:80 | 171.22.30.106 | tcp |
Files
memory/288-54-0x0000000075B11000-0x0000000075B13000-memory.dmp
memory/288-55-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp
| MD5 | 363a4d2aa5d6cf5cbb2267cccf0c4436 |
| SHA1 | a4cdb756698ed28f522956166a6292e9e309dd9c |
| SHA256 | b5cd942dd7019c1cda1715e4ce942094c41ad1e7bc7c5f63fe3ab7d97bc5a021 |
| SHA512 | b5929be6e258a63557f376b50a40f6d465cbd372a88e7dcae7944faacb9181cd55873f52dee99cee2e3705596b3b55cb6f784db800f5a32f06e63b9ead3e7c70 |
memory/1160-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp
| MD5 | 363a4d2aa5d6cf5cbb2267cccf0c4436 |
| SHA1 | a4cdb756698ed28f522956166a6292e9e309dd9c |
| SHA256 | b5cd942dd7019c1cda1715e4ce942094c41ad1e7bc7c5f63fe3ab7d97bc5a021 |
| SHA512 | b5929be6e258a63557f376b50a40f6d465cbd372a88e7dcae7944faacb9181cd55873f52dee99cee2e3705596b3b55cb6f784db800f5a32f06e63b9ead3e7c70 |
C:\Users\Admin\AppData\Local\Temp\is-J1H81.tmp\is-QFUOH.tmp
| MD5 | 363a4d2aa5d6cf5cbb2267cccf0c4436 |
| SHA1 | a4cdb756698ed28f522956166a6292e9e309dd9c |
| SHA256 | b5cd942dd7019c1cda1715e4ce942094c41ad1e7bc7c5f63fe3ab7d97bc5a021 |
| SHA512 | b5929be6e258a63557f376b50a40f6d465cbd372a88e7dcae7944faacb9181cd55873f52dee99cee2e3705596b3b55cb6f784db800f5a32f06e63b9ead3e7c70 |
\Users\Admin\AppData\Local\Temp\is-B6L63.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-B6L63.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-B6L63.tmp\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Program Files (x86)\PrintFolders\PrintFolders.exe
| MD5 | 5fdfc5178310d49fdc5434b49381b3dd |
| SHA1 | a29d31ef10596e672bbc5af600730e7a64d84359 |
| SHA256 | f5a2e07dd70eb0e68b7770a564fbd51b11a635c33a0d8c5476f81ccca96ed0a0 |
| SHA512 | 1af795188dc7a0060083289f8a2cdae90774053342e107e18106925444b7cc429575d84630287be6a4a5a97a9881288790a1cc01b2fd782b3fa206979b91e72e |
memory/1572-66-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
| MD5 | 5fdfc5178310d49fdc5434b49381b3dd |
| SHA1 | a29d31ef10596e672bbc5af600730e7a64d84359 |
| SHA256 | f5a2e07dd70eb0e68b7770a564fbd51b11a635c33a0d8c5476f81ccca96ed0a0 |
| SHA512 | 1af795188dc7a0060083289f8a2cdae90774053342e107e18106925444b7cc429575d84630287be6a4a5a97a9881288790a1cc01b2fd782b3fa206979b91e72e |
memory/288-68-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1160-70-0x0000000003050000-0x000000000416B000-memory.dmp
\Program Files (x86)\PrintFolders\PrintFolders.exe
| MD5 | 5fdfc5178310d49fdc5434b49381b3dd |
| SHA1 | a29d31ef10596e672bbc5af600730e7a64d84359 |
| SHA256 | f5a2e07dd70eb0e68b7770a564fbd51b11a635c33a0d8c5476f81ccca96ed0a0 |
| SHA512 | 1af795188dc7a0060083289f8a2cdae90774053342e107e18106925444b7cc429575d84630287be6a4a5a97a9881288790a1cc01b2fd782b3fa206979b91e72e |
\Program Files (x86)\PrintFolders\PrintFolders.exe
| MD5 | 5fdfc5178310d49fdc5434b49381b3dd |
| SHA1 | a29d31ef10596e672bbc5af600730e7a64d84359 |
| SHA256 | f5a2e07dd70eb0e68b7770a564fbd51b11a635c33a0d8c5476f81ccca96ed0a0 |
| SHA512 | 1af795188dc7a0060083289f8a2cdae90774053342e107e18106925444b7cc429575d84630287be6a4a5a97a9881288790a1cc01b2fd782b3fa206979b91e72e |
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
| MD5 | 5fdfc5178310d49fdc5434b49381b3dd |
| SHA1 | a29d31ef10596e672bbc5af600730e7a64d84359 |
| SHA256 | f5a2e07dd70eb0e68b7770a564fbd51b11a635c33a0d8c5476f81ccca96ed0a0 |
| SHA512 | 1af795188dc7a0060083289f8a2cdae90774053342e107e18106925444b7cc429575d84630287be6a4a5a97a9881288790a1cc01b2fd782b3fa206979b91e72e |
memory/1572-74-0x0000000000400000-0x000000000151B000-memory.dmp
memory/1572-75-0x0000000001CF0000-0x0000000002E0B000-memory.dmp
memory/1572-76-0x0000000001CF0000-0x0000000002E0B000-memory.dmp
memory/1572-77-0x0000000000400000-0x000000000151B000-memory.dmp
memory/1572-78-0x0000000000400000-0x000000000151B000-memory.dmp
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/1244-80-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\IkH1MJ0t.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/1160-86-0x0000000003050000-0x000000000416B000-memory.dmp
memory/1572-87-0x0000000010000000-0x000000001001B000-memory.dmp
memory/1572-91-0x0000000000400000-0x000000000151B000-memory.dmp
memory/1572-92-0x0000000001CF0000-0x0000000002E0B000-memory.dmp
memory/1572-93-0x0000000001CF0000-0x0000000002E0B000-memory.dmp
memory/1572-94-0x0000000000400000-0x000000000151B000-memory.dmp
memory/1504-95-0x0000000000000000-mapping.dmp
memory/1444-97-0x0000000000000000-mapping.dmp
memory/1572-98-0x0000000000400000-0x000000000151B000-memory.dmp
memory/288-100-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-30 18:30
Reported
2022-11-30 18:39
Platform
win10v2004-20221111-en
Max time kernel
383s
Max time network
458s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 928 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe | C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp |
| PID 928 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe | C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp |
| PID 928 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe | C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe
"C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe"
C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp" /SL4 $B01EC "C:\Users\Admin\AppData\Local\Temp\16b57adbc06a4ad058aa05ccfdeb85b57c8ffc22f7a04e268cd9cb7ea6579653.exe" 1871357 51712
Network
| Country | Destination | Domain | Proto |
| N/A | 13.89.179.9:443 | tcp | |
| N/A | 96.16.53.148:80 | tcp | |
| N/A | 96.16.53.148:80 | tcp | |
| N/A | 96.16.53.148:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.126.32.74:443 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/928-132-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3096-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp
| MD5 | 363a4d2aa5d6cf5cbb2267cccf0c4436 |
| SHA1 | a4cdb756698ed28f522956166a6292e9e309dd9c |
| SHA256 | b5cd942dd7019c1cda1715e4ce942094c41ad1e7bc7c5f63fe3ab7d97bc5a021 |
| SHA512 | b5929be6e258a63557f376b50a40f6d465cbd372a88e7dcae7944faacb9181cd55873f52dee99cee2e3705596b3b55cb6f784db800f5a32f06e63b9ead3e7c70 |
C:\Users\Admin\AppData\Local\Temp\is-0AL2R.tmp\is-T1PRN.tmp
| MD5 | 363a4d2aa5d6cf5cbb2267cccf0c4436 |
| SHA1 | a4cdb756698ed28f522956166a6292e9e309dd9c |
| SHA256 | b5cd942dd7019c1cda1715e4ce942094c41ad1e7bc7c5f63fe3ab7d97bc5a021 |
| SHA512 | b5929be6e258a63557f376b50a40f6d465cbd372a88e7dcae7944faacb9181cd55873f52dee99cee2e3705596b3b55cb6f784db800f5a32f06e63b9ead3e7c70 |
memory/928-137-0x0000000000400000-0x0000000000413000-memory.dmp