nymaim | 74760430c11054c722fcbbc2bdc13f51c6d81b2e77ffddfe07a063fb203c8901

General

Target

febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe
Size

1.8MB
MD5

c5a31e850e32e4b779a2eb6257cab613
SHA1

f91799e5e4ecf64f8c68cf17b99c03957403523b
SHA256

febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f
SHA512

f7e827114d49b60e6751c4337f1d09d8a03f58d8b54c5f7f1ebabee1b22d8af03c96243e1e60a2440491eb6794acf8d153f3c4e4183c329f207cb9348e7c2306
SSDEEP

49152:5iRVZQ220TLIaNCJdHFGEfPn5m4+Hth960:5iRVZQENC3HFtvs4+HtHZ

Score

10^/10

nymaim discovery trojan

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 3 IoCs

pid	Process
2040	is-24OAE.tmp
2076	SplitFiles124.exe
404	o5CG9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	SplitFiles124.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	is-24OAE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Split Files\language\is-TOQE7.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-RAV5O.tmp	is-24OAE.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\is-N4PDU.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\is-F693H.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\is-INTLR.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-ML977.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-8VBU8.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-JHM78.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-5P70S.tmp	is-24OAE.tmp
File opened for modification	C:\Program Files (x86)\Split Files\SplitFiles124.exe	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-UIJO4.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-IMMSB.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\is-65F67.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\language\is-EME2G.tmp	is-24OAE.tmp
File created	C:\Program Files (x86)\Split Files\is-00EF5.tmp	is-24OAE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4584	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2076	SplitFiles124.exe
2076	SplitFiles124.exe
2076	SplitFiles124.exe
2076	SplitFiles124.exe
2076	SplitFiles124.exe
2076	SplitFiles124.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2040	4648	febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe	79
PID 4648 wrote to memory of 2040	4648	febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe	79
PID 4648 wrote to memory of 2040	4648	febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe	79
PID 2040 wrote to memory of 2076	2040	is-24OAE.tmp	80
PID 2040 wrote to memory of 2076	2040	is-24OAE.tmp	80
PID 2040 wrote to memory of 2076	2040	is-24OAE.tmp	80
PID 2076 wrote to memory of 404	2076	SplitFiles124.exe	81
PID 2076 wrote to memory of 404	2076	SplitFiles124.exe	81
PID 2076 wrote to memory of 404	2076	SplitFiles124.exe	81
PID 2076 wrote to memory of 4836	2076	SplitFiles124.exe	89
PID 2076 wrote to memory of 4836	2076	SplitFiles124.exe	89
PID 2076 wrote to memory of 4836	2076	SplitFiles124.exe	89
PID 4836 wrote to memory of 4584	4836	cmd.exe	91
PID 4836 wrote to memory of 4584	4836	cmd.exe	91
PID 4836 wrote to memory of 4584	4836	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe
"C:\Users\Admin\AppData\Local\Temp\febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\is-Q855B.tmp\is-24OAE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q855B.tmp\is-24OAE.tmp" /SL4 $90056 "C:\Users\Admin\AppData\Local\Temp\febde8fd7e0d1b6191442768f2d8dd2d7dd90740c70fe917f3b4f1c24ea0d46f.exe" 1661482 166400
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files (x86)\Split Files\SplitFiles124.exe
    "C:\Program Files (x86)\Split Files\SplitFiles124.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Roaming\{6cebb340-6208-11ed-bf50-806e6f6e6963}\o5CG9.exe
      4⤵
      Executes dropped EXE
      PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles124.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles124.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "SplitFiles124.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\SplitFiles124.exe

Filesize
3.2MB

MD5
ef5ab90d98f271999209a3343fb71275

SHA1
2afdc643832c98f2b8d0bc797df0a6ff18c04956

SHA256
c8bd57de5ec1ead05cb012edb4898ba71ba2dcccedf8aa30684cae0cf6003a5e

SHA512
7ec5ecae5cfa1383173b17a52e2621519d6d4bdc2008c973fffc514c905b520bc3803fe5e10082d55a6a62df87fcd1299fe665419de9a1dca3d494b09adb0894

Download Submit
C:\Program Files (x86)\Split Files\SplitFiles124.exe

Filesize
3.2MB

MD5
ef5ab90d98f271999209a3343fb71275

SHA1
2afdc643832c98f2b8d0bc797df0a6ff18c04956

SHA256
c8bd57de5ec1ead05cb012edb4898ba71ba2dcccedf8aa30684cae0cf6003a5e

SHA512
7ec5ecae5cfa1383173b17a52e2621519d6d4bdc2008c973fffc514c905b520bc3803fe5e10082d55a6a62df87fcd1299fe665419de9a1dca3d494b09adb0894

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQ1RI.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q855B.tmp\is-24OAE.tmp

Filesize
756KB

MD5
88c7387a76635a30298c1fea18eb963d

SHA1
8a01e609d9f076fd09ec9eec99b512c3571efdbc

SHA256
0cf25da416c0de0814b116f3b917412415e285622149b82d6ee701d94316427b

SHA512
e3d7736fa09f81ff239ce20b9c7cfacc171b63a215f5658c0de9f57dfbb4b9fb7dd96875ecacd7e652d06ff100fa4f7fca63ba2688d48b122bf03c8dbd08ad2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q855B.tmp\is-24OAE.tmp

Filesize
756KB

MD5
88c7387a76635a30298c1fea18eb963d

SHA1
8a01e609d9f076fd09ec9eec99b512c3571efdbc

SHA256
0cf25da416c0de0814b116f3b917412415e285622149b82d6ee701d94316427b

SHA512
e3d7736fa09f81ff239ce20b9c7cfacc171b63a215f5658c0de9f57dfbb4b9fb7dd96875ecacd7e652d06ff100fa4f7fca63ba2688d48b122bf03c8dbd08ad2b

Download Submit
C:\Users\Admin\AppData\Roaming\{6cebb340-6208-11ed-bf50-806e6f6e6963}\o5CG9.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{6cebb340-6208-11ed-bf50-806e6f6e6963}\o5CG9.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/2076-143-0x0000000000400000-0x000000000152C000-memory.dmp

Filesize
17.2MB

Download
memory/2076-142-0x0000000000400000-0x000000000152C000-memory.dmp

Filesize
17.2MB

Download
memory/2076-147-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2076-151-0x0000000000400000-0x000000000152C000-memory.dmp

Filesize
17.2MB

Download
memory/2076-154-0x0000000000400000-0x000000000152C000-memory.dmp

Filesize
17.2MB

Download
memory/4648-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing