Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/12/2022, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
4f8aaa32c25c0df6e6d6b07147fe2210.exe
Resource
win7-20221111-en
6 signatures
150 seconds
General
-
Target
4f8aaa32c25c0df6e6d6b07147fe2210.exe
-
Size
396KB
-
MD5
4f8aaa32c25c0df6e6d6b07147fe2210
-
SHA1
6a3d3cc1440dc5ccd401dcad9f2aa2b5e58efb6a
-
SHA256
3130ae5c7eb9359f37503eae4d9e163031db1cf5cf39b1cf353fefda5e037ed8
-
SHA512
a46d34e735d5953c006c0507d2d76f626a056981ad71052987632016c0512d3b9cbaa0e5efdd9f2230e2b3f218890c2095f44ab9d248be2b7eac7eedbfb2496a
-
SSDEEP
6144:+UfKLfKeWByzgwsVqNGIxg4l2wjJFLDk9iGce6o1Yf67k13bwZ4Vxq:dC2eDzgXVeGIxg4XjJlm6o1Yy7
Malware Config
Extracted
Family
nymaim
C2
45.139.105.171
85.31.46.167
Signatures
-
Deletes itself 1 IoCs
pid Process 592 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 608 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 608 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1784 wrote to memory of 592 1784 4f8aaa32c25c0df6e6d6b07147fe2210.exe 30 PID 1784 wrote to memory of 592 1784 4f8aaa32c25c0df6e6d6b07147fe2210.exe 30 PID 1784 wrote to memory of 592 1784 4f8aaa32c25c0df6e6d6b07147fe2210.exe 30 PID 1784 wrote to memory of 592 1784 4f8aaa32c25c0df6e6d6b07147fe2210.exe 30 PID 592 wrote to memory of 608 592 cmd.exe 32 PID 592 wrote to memory of 608 592 cmd.exe 32 PID 592 wrote to memory of 608 592 cmd.exe 32 PID 592 wrote to memory of 608 592 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8aaa32c25c0df6e6d6b07147fe2210.exe"C:\Users\Admin\AppData\Local\Temp\4f8aaa32c25c0df6e6d6b07147fe2210.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "4f8aaa32c25c0df6e6d6b07147fe2210.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4f8aaa32c25c0df6e6d6b07147fe2210.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4f8aaa32c25c0df6e6d6b07147fe2210.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-