Malware Analysis Report

2025-06-16 05:09

Sample ID 221223-ey9ghaba2s
Target cc58143048294ff5fd4eb525b9af83bd.exe
SHA256 43209724f0bd10e551388117ec98e9b22a296537b1c1eb6f6bc2b35239e63544
Tags
nymaim trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43209724f0bd10e551388117ec98e9b22a296537b1c1eb6f6bc2b35239e63544

Threat Level: Known bad

The file cc58143048294ff5fd4eb525b9af83bd.exe was found to be: Known bad.

Malicious Activity Summary

nymaim trojan

NyMaim

Checks computer location settings

Deletes itself

Program crash

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-23 04:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-23 04:22

Reported

2022-12-23 04:24

Platform

win7-20220812-en

Max time kernel

43s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"

Signatures

NyMaim

trojan nymaim

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe

"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f

Network

Country Destination Domain Proto
N/A 45.139.105.171:80 45.139.105.171 tcp

Files

memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/816-55-0x000000000057C000-0x00000000005A2000-memory.dmp

memory/816-57-0x0000000000400000-0x0000000000466000-memory.dmp

memory/816-56-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1932-58-0x0000000000000000-mapping.dmp

memory/816-59-0x000000000057C000-0x00000000005A2000-memory.dmp

memory/816-60-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1264-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-23 04:22

Reported

2022-12-23 04:24

Platform

win10v2004-20220812-en

Max time kernel

83s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"

Signatures

NyMaim

trojan nymaim

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe

"C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1236

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\cc58143048294ff5fd4eb525b9af83bd.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 536

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "cc58143048294ff5fd4eb525b9af83bd.exe" /f

Network

Country Destination Domain Proto
N/A 45.139.105.171:80 45.139.105.171 tcp
N/A 20.42.72.131:443 tcp
N/A 8.253.135.241:80 tcp
N/A 20.190.159.0:443 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.253.135.241:80 tcp

Files

memory/764-132-0x00000000004FE000-0x0000000000525000-memory.dmp

memory/764-133-0x0000000002090000-0x00000000020D0000-memory.dmp

memory/764-134-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3776-135-0x0000000000000000-mapping.dmp

memory/1540-136-0x0000000000000000-mapping.dmp

memory/764-137-0x00000000004FE000-0x0000000000525000-memory.dmp

memory/764-138-0x0000000000400000-0x0000000000466000-memory.dmp