Analysis Overview
SHA256
43209724f0bd10e551388117ec98e9b22a296537b1c1eb6f6bc2b35239e63544
Threat Level: Known bad
The file cc58143048294ff5fd4eb525b9af83bd.exe was found to be: Known bad.
Malicious Activity Summary
NyMaim
Checks computer location settings
Deletes itself
Program crash
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-23 04:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-23 04:22
Reported
2022-12-23 04:24
Platform
win7-20220812-en
Max time kernel
43s
Max time network
45s
Command Line
Signatures
NyMaim
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 816 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 816 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 816 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 816 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1932 wrote to memory of 1264 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1932 wrote to memory of 1264 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1932 wrote to memory of 1264 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1932 wrote to memory of 1264 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe
"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
Files
memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/816-55-0x000000000057C000-0x00000000005A2000-memory.dmp
memory/816-57-0x0000000000400000-0x0000000000466000-memory.dmp
memory/816-56-0x0000000000320000-0x0000000000360000-memory.dmp
memory/1932-58-0x0000000000000000-mapping.dmp
memory/816-59-0x000000000057C000-0x00000000005A2000-memory.dmp
memory/816-60-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1264-61-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-23 04:22
Reported
2022-12-23 04:24
Platform
win10v2004-20220812-en
Max time kernel
83s
Max time network
150s
Command Line
Signatures
NyMaim
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | N/A |
Enumerates physical storage devices
Program crash
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 764 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 764 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3776 wrote to memory of 1540 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3776 wrote to memory of 1540 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3776 wrote to memory of 1540 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe
"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1236
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 536
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 20.42.72.131:443 | tcp | |
| N/A | 8.253.135.241:80 | tcp | |
| N/A | 20.190.159.0:443 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.253.135.241:80 | tcp |
Files
memory/764-132-0x00000000004FE000-0x0000000000525000-memory.dmp
memory/764-133-0x0000000002090000-0x00000000020D0000-memory.dmp
memory/764-134-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3776-135-0x0000000000000000-mapping.dmp
memory/1540-136-0x0000000000000000-mapping.dmp
memory/764-137-0x00000000004FE000-0x0000000000525000-memory.dmp
memory/764-138-0x0000000000400000-0x0000000000466000-memory.dmp