484cb42dc4a3fbf2f1d9c537d1a3a4af52d85f10df1547405d1b5bc9bffac8a2

Analysis

max time kernel
25s
max time network
17s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pymins_px.exe
Size

884KB
MD5

f42a48a631043025037896bb160d2ab2
SHA1

1b6c89e0379a8cd0893736240974dc822e966f0c
SHA256

484cb42dc4a3fbf2f1d9c537d1a3a4af52d85f10df1547405d1b5bc9bffac8a2
SHA512

374ee6d93460218d643864f14cef19d4283fc154d8393424b660ec6abeac6bb2dd4f9b6720e76b3de8210fb408db14bddf17a0c719532119154a876b7d8e123a
SSDEEP

12288:IbAC8ODc+jSXya9aw3L7lp/mKtADNlVZQxjhfntudH3q6UvklSYUcuXm4mMxaStZ:0c8ML/zjClVZgjhf+HaLvklSCu/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2980	pviewm.exe
2796	paycopy.exe

Loads dropped DLL 5 IoCs

pid	Process
2188	WerFault.exe
2188	WerFault.exe
2188	WerFault.exe
2188	WerFault.exe
2188	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	2980	WerFault.exe	31

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd-pym\Extension = ".pym"	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym\Content Type = "application/vnd-pym"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\DefaultIcon	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\DefaultIcon\ = "c:\\paychex\\pviewm.exe,0"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open\command	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx\ = "PYX_test"	pymins_px.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd-pym	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\ = "Paychex Report Manager"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read\command	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read\command\ = "c:\\paychex\\pviewm.exe \"%1\""	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym\ = "PYM_auto_file"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open\command\ = "c:\\paychex\\pviewm.exe \"%1\""	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym	pymins_px.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\paychex\^=^windows_drive_letter^.^:\paychex\logs\pviewm.log	pviewm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2188	2980	pviewm.exe	32
PID 2980 wrote to memory of 2188	2980	pviewm.exe	32
PID 2980 wrote to memory of 2188	2980	pviewm.exe	32
PID 2980 wrote to memory of 2188	2980	pviewm.exe	32

C:\Users\Admin\AppData\Local\Temp\pymins_px.exe
"C:\Users\Admin\AppData\Local\Temp\pymins_px.exe"
1⤵
- Modifies registry class
PID:1804

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2264

C:\paychex\pviewm.exe
"C:\paychex\pviewm.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 240
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2188

C:\paychex\paycopy.exe
"C:\paychex\paycopy.exe"
1⤵
- Executes dropped EXE
PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\paychex\paycopy.exe

Filesize
88KB

MD5
f930ffb5bb9a41df0a002b4e1d7d1b03

SHA1
912757a446d2dffddebb7f5cc0d1b87dd5920eac

SHA256
1eccdc8e1b66c617eba8c3b8d6f02366f5a2538ff7ab248e1e8c12a82d8b4f10

SHA512
b5c75100e0b29896166effbef8c0d39aede9bb11edf84ff3b31a44de0c439a6e83921a68298634c2520d755d914f609ab9bdce00c483d4ff4414354e71c8866f

Download Submit
C:\paychex\pviewm.exe

Filesize
116KB

MD5
bb6650b6da30be2a4a12f0e88737446b

SHA1
49a81a9a573bf2653277346816d825f9682e06cd

SHA256
770586da85bfa11029e2b122013307d61610ca8f88dfdf02e976b82bd244ae95

SHA512
9696c46aae700a9ece344224cf0b0ada81d99968508c50a737eaae6d1c342a55822cd7d530dc644da448cd8f6409eaf5d61ee39d02e1d89901cdfd7eaa5a7243

Download Submit
\??\c:\paychex\pviewm.ini

Filesize
4KB

MD5
bd9410dabeade450f215611315934d15

SHA1
2f68ab66187eb37d567d44d5f211228d41371221

SHA256
5bd1cb9f0eec1cba2c0b5ee896cdadfe837b02c6638943be3d38e6db26d9b05e

SHA512
1edf691b667db6d7ae3754c52098d1c9b3b81da8d399bdaebb40240d071868e1e84f931783c6e567fd1969c2586ed7f4f53888c454832ee945c9b322e226aaa0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads