484cb42dc4a3fbf2f1d9c537d1a3a4af52d85f10df1547405d1b5bc9bffac8a2

General

Target

pymins_px.exe
Size

884KB
MD5

f42a48a631043025037896bb160d2ab2
SHA1

1b6c89e0379a8cd0893736240974dc822e966f0c
SHA256

484cb42dc4a3fbf2f1d9c537d1a3a4af52d85f10df1547405d1b5bc9bffac8a2
SHA512

374ee6d93460218d643864f14cef19d4283fc154d8393424b660ec6abeac6bb2dd4f9b6720e76b3de8210fb408db14bddf17a0c719532119154a876b7d8e123a
SSDEEP

12288:IbAC8ODc+jSXya9aw3L7lp/mKtADNlVZQxjhfntudH3q6UvklSYUcuXm4mMxaStZ:0c8ML/zjClVZgjhf+HaLvklSCu/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

pviewm.exepaycopy.exepayx_remove.exe

pid	Process
3508	pviewm.exe
3148	paycopy.exe
2968	payx_remove.exe

Modifies registry class 19 IoCs

Processes:

pymins_px.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym\ = "PYM_auto_file"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\ = "Paychex Report Manager"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open\command\ = "c:\\paychex\\pviewm.exe \"%1\""	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx\ = "PYX_test"	pymins_px.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test.pyx	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read\command	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\open\command	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd-pym	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd-pym\Extension = ".pym"	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\DefaultIcon\ = "c:\\paychex\\pviewm.exe,0"	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pym\Content Type = "application/vnd-pym"	pymins_px.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\DefaultIcon	pymins_px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PYM_auto_file\shell\read\command\ = "c:\\paychex\\pviewm.exe \"%1\""	pymins_px.exe

NTFS ADS 1 IoCs

Processes:

pviewm.exe

description	ioc	Process
File opened for modification	C:\paychex\^=^windows_drive_letter^.^:\paychex\logs\pviewm.log	pviewm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1568	notepad.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

pviewm.exepaycopy.exe

description	pid	Process	procid_target
PID 3508 wrote to memory of 3148	3508	pviewm.exe	100
PID 3508 wrote to memory of 3148	3508	pviewm.exe	100
PID 3508 wrote to memory of 3148	3508	pviewm.exe	100
PID 3148 wrote to memory of 1568	3148	paycopy.exe	101
PID 3148 wrote to memory of 1568	3148	paycopy.exe	101
PID 3148 wrote to memory of 1568	3148	paycopy.exe	101
PID 3148 wrote to memory of 2968	3148	paycopy.exe	102
PID 3148 wrote to memory of 2968	3148	paycopy.exe	102
PID 3148 wrote to memory of 2968	3148	paycopy.exe	102

C:\Users\Admin\AppData\Local\Temp\pymins_px.exe
"C:\Users\Admin\AppData\Local\Temp\pymins_px.exe"
1⤵
- Modifies registry class
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4840

\??\c:\paychex\pviewm.exe
"c:\paychex\pviewm.exe" "C:\paychex\test_notepad.pym"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3508
- \??\c:\paychex\paycopy.exe
  c:\paychex\paycopy _wait_for_this:notepad "c:\paychex\2024_02\_txt_28_17_09_43_01.txt"[^w^][^d^]c:\paychex\2024_02\_txt_28_17_09_43_01.txt
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\notepad.exe
    notepad "c:\paychex\2024_02\_txt_28_17_09_43_01.txt"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1568
- - \??\c:\paychex\payx_remove.exe
    /s /no_askem tree_wipe c:\paychex\2024_02
    3⤵
    - Executes dropped EXE
    PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\paychex\logs\pviewm.log

Filesize
407B

MD5
26315f27797307e8c01fd89f93239011

SHA1
cfb51ee6212713e51ad2bcfa251f6e055c09fe22

SHA256
06514fccd404bfdf36fad4261d7465a5ef660769c9a3e19518edd86573cf6f79

SHA512
6d392ecec45deeaf210b549c002905282ccf11be059b91cdc7b697c6705db5540931cddd82ca77bd4d7fed5ac33d5e9f73c87a46978f3bd0225bfd1db51ddf53

Download Submit
C:\paychex\payx_remove.exe

Filesize
415KB

MD5
0cdc57930367a0e910bda0215ca963fb

SHA1
ee7026c8d3c276c29878a7539bfe3163aa2f5b8f

SHA256
c19e834e70b3a1773c629d93e4bc83ff3afbeb12ebe0d2e12f8cf331838b93c2

SHA512
db5633c6a17c59f8ca6c17bf56e145c4e4b43e968cca7b0572b7c32276d0dbac4e8f819e1a8a949e76397fa26bcd7358659906f3735e92342d8620494f80132f

Download Submit
C:\paychex\pviewm.exe

Filesize
116KB

MD5
bb6650b6da30be2a4a12f0e88737446b

SHA1
49a81a9a573bf2653277346816d825f9682e06cd

SHA256
770586da85bfa11029e2b122013307d61610ca8f88dfdf02e976b82bd244ae95

SHA512
9696c46aae700a9ece344224cf0b0ada81d99968508c50a737eaae6d1c342a55822cd7d530dc644da448cd8f6409eaf5d61ee39d02e1d89901cdfd7eaa5a7243

Download Submit
\??\c:\paychex\2024_02\_txt_28_17_09_43_01.txt

Filesize
52B

MD5
67cabe0f08d612f3954ae1f229c7eee8

SHA1
4cd6789b7a922b05ecd5ab4dbb22134e8c3e544f

SHA256
d09099d227955120795aba61c23a70ce60148970521562dee2a88e64cbd96e21

SHA512
765f2a42d55751c6a96bca56867a85a5b81f87eab582d7fe052a869e11874e82eb9c27f75e5be2ae6a7aaee127a10e098c3be4d9f54ee2d1eb6b1c08081f2ad8

Download Submit
\??\c:\paychex\logs\pviewm.log

Filesize
521B

MD5
e2c9cd65a53039f3bc303f50564c568e

SHA1
a4e9507bbea2ebe4bfce9ee0f5af47c9bd85d7d8

SHA256
b4a6fb6eb185c2b45348bfe6dca40001ac1ecbc2722b2f81c67028bf2a340cf3

SHA512
128dde0b070941ab88707dbef6937e4155e4e7d323406aba603b41169b3a0e719215fd4ac55350aa664e0d8b9cae44fb7536af0fe537dc08fd4c9cf16f533f28

Download Submit
\??\c:\paychex\paycopy.exe

Filesize
88KB

MD5
f930ffb5bb9a41df0a002b4e1d7d1b03

SHA1
912757a446d2dffddebb7f5cc0d1b87dd5920eac

SHA256
1eccdc8e1b66c617eba8c3b8d6f02366f5a2538ff7ab248e1e8c12a82d8b4f10

SHA512
b5c75100e0b29896166effbef8c0d39aede9bb11edf84ff3b31a44de0c439a6e83921a68298634c2520d755d914f609ab9bdce00c483d4ff4414354e71c8866f

Download Submit
\??\c:\paychex\pviewm.ini

Filesize
4KB

MD5
bd9410dabeade450f215611315934d15

SHA1
2f68ab66187eb37d567d44d5f211228d41371221

SHA256
5bd1cb9f0eec1cba2c0b5ee896cdadfe837b02c6638943be3d38e6db26d9b05e

SHA512
1edf691b667db6d7ae3754c52098d1c9b3b81da8d399bdaebb40240d071868e1e84f931783c6e567fd1969c2586ed7f4f53888c454832ee945c9b322e226aaa0

Download Submit
\??\c:\paychex\test_notepad.pym

Filesize
146B

MD5
d19c14459181791c3982a27efd844717

SHA1
14ea1f8a3b4486da2d87462ba887b590db2af34b

SHA256
f6ffc0cf0baed560e9a8714b2d8586225afb6da0443604a533a921f26a035a20

SHA512
905b40d8ac5c48669f67957b65937b0374c288b8e278cf18035d50211c38ad9aa7298855b9770351c2981eed956d826a25861afc7b6e2bf6e408e24da0097c9b

Download Submit
memory/2968-26-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2968-27-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads