nymaim | 10ab4b67654b37c2b297fd0d3472d73ccf8d91965e9f3d92a3aeb7aaf716ce46

General

Target

file.exe
Size

2.0MB
MD5

73b70679bf81cb29bd71d63870d3b64b
SHA1

57ed83403437cf7407c6bf03e3c8078e441d72d3
SHA256

10ab4b67654b37c2b297fd0d3472d73ccf8d91965e9f3d92a3aeb7aaf716ce46
SHA512

31794d2ca3259d4922e6e30b91a416c4c0d107968f31811d4c0528bdd4fde60e38cf4dc25b705df75f4a243123bb9abad1e59e8d6b1de7d5faa7670ab37f1088
SSDEEP

49152:GivLILX/VVTccDekwGDMz6ihGqikpFZGUWJQNiNUDXKJ:Giv8LcyeT4MeihGqPUwA

Score

10^/10

nymaim discovery trojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 3 IoCs

pid	Process
2036	is-0GVJV.tmp
1648	SplitFiles123.exe
5088	JDyOE3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	SplitFiles123.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	is-0GVJV.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Split Files\language\is-4TTTB.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-D23D6.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\is-LJ6M3.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\is-07PRV.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\is-AJ8OH.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-8KKPG.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-MOQOL.tmp	is-0GVJV.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\is-D48LV.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-F7UUU.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-FR20C.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\is-5BFNI.tmp	is-0GVJV.tmp
File opened for modification	C:\Program Files (x86)\Split Files\SplitFiles123.exe	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-B5A6O.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-PLO2V.tmp	is-0GVJV.tmp
File created	C:\Program Files (x86)\Split Files\language\is-CA53E.tmp	is-0GVJV.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5000	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	SplitFiles123.exe
1648	SplitFiles123.exe
1648	SplitFiles123.exe
1648	SplitFiles123.exe
1648	SplitFiles123.exe
1648	SplitFiles123.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2036	5040	file.exe	79
PID 5040 wrote to memory of 2036	5040	file.exe	79
PID 5040 wrote to memory of 2036	5040	file.exe	79
PID 2036 wrote to memory of 1648	2036	is-0GVJV.tmp	80
PID 2036 wrote to memory of 1648	2036	is-0GVJV.tmp	80
PID 2036 wrote to memory of 1648	2036	is-0GVJV.tmp	80
PID 1648 wrote to memory of 5088	1648	SplitFiles123.exe	81
PID 1648 wrote to memory of 5088	1648	SplitFiles123.exe	81
PID 1648 wrote to memory of 5088	1648	SplitFiles123.exe	81
PID 1648 wrote to memory of 2980	1648	SplitFiles123.exe	90
PID 1648 wrote to memory of 2980	1648	SplitFiles123.exe	90
PID 1648 wrote to memory of 2980	1648	SplitFiles123.exe	90
PID 2980 wrote to memory of 5000	2980	cmd.exe	92
PID 2980 wrote to memory of 5000	2980	cmd.exe	92
PID 2980 wrote to memory of 5000	2980	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\is-PA66N.tmp\is-0GVJV.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PA66N.tmp\is-0GVJV.tmp" /SL4 $50060 "C:\Users\Admin\AppData\Local\Temp\file.exe" 1820372 217600
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Program Files (x86)\Split Files\SplitFiles123.exe
    "C:\Program Files (x86)\Split Files\SplitFiles123.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Roaming\{1ca2f389-1ab8-11ed-aebb-806e6f6e6963}\JDyOE3.exe
      4⤵
      Executes dropped EXE
      PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles123.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles123.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "SplitFiles123.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\SplitFiles123.exe

Filesize
3.2MB

MD5
4879fdc5e9ac1676160a4eef70e3d351

SHA1
df7fa45a3be82c882c98c1599f39f49f9c14bd85

SHA256
6696aadd5deba833b4ec6d29b9e8e5a30e0d3266a7041b5672e78913cd8d63ae

SHA512
2539d18293d539bacb93373f03f45b7059feb38f5af5344ffde5cd48c60f05047f7ab72135b4f7312a35be9e5058de5b6d6953dfb63cd00b322d84fb818807f1

Download Submit
C:\Program Files (x86)\Split Files\SplitFiles123.exe

Filesize
3.2MB

MD5
4879fdc5e9ac1676160a4eef70e3d351

SHA1
df7fa45a3be82c882c98c1599f39f49f9c14bd85

SHA256
6696aadd5deba833b4ec6d29b9e8e5a30e0d3266a7041b5672e78913cd8d63ae

SHA512
2539d18293d539bacb93373f03f45b7059feb38f5af5344ffde5cd48c60f05047f7ab72135b4f7312a35be9e5058de5b6d6953dfb63cd00b322d84fb818807f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LD3TT.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PA66N.tmp\is-0GVJV.tmp

Filesize
806KB

MD5
4f3db9263ab998737f14cfb0cc7da686

SHA1
1f3947a6b5c900f28a93abb7a097aea5efa76f58

SHA256
f8ce6681396db8b8a95cdf7dbf02b68c847922aeacd0277a52a4e5ca399f87aa

SHA512
60d5207b7af2dadf63aeb6123ed466e779cc9b04ca15f303416b348b8e5ee9c147ee578d5e586df749d1facf460c84090436a0d4944fdebd334373f0f6c18f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PA66N.tmp\is-0GVJV.tmp

Filesize
806KB

MD5
4f3db9263ab998737f14cfb0cc7da686

SHA1
1f3947a6b5c900f28a93abb7a097aea5efa76f58

SHA256
f8ce6681396db8b8a95cdf7dbf02b68c847922aeacd0277a52a4e5ca399f87aa

SHA512
60d5207b7af2dadf63aeb6123ed466e779cc9b04ca15f303416b348b8e5ee9c147ee578d5e586df749d1facf460c84090436a0d4944fdebd334373f0f6c18f8d

Download Submit
C:\Users\Admin\AppData\Roaming\{1ca2f389-1ab8-11ed-aebb-806e6f6e6963}\JDyOE3.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{1ca2f389-1ab8-11ed-aebb-806e6f6e6963}\JDyOE3.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1648-143-0x0000000000400000-0x0000000001538000-memory.dmp

Filesize
17.2MB

Download
memory/1648-139-0x0000000000000000-mapping.dmp

Download
memory/1648-142-0x0000000000400000-0x0000000001538000-memory.dmp

Filesize
17.2MB

Download
memory/1648-147-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1648-151-0x0000000000400000-0x0000000001538000-memory.dmp

Filesize
17.2MB

Download
memory/1648-154-0x0000000000400000-0x0000000001538000-memory.dmp

Filesize
17.2MB

Download
memory/2036-135-0x0000000000000000-mapping.dmp

Download
memory/2980-152-0x0000000000000000-mapping.dmp

Download
memory/5000-153-0x0000000000000000-mapping.dmp

Download
memory/5040-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5088-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing