Analysis
-
max time kernel
97s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
10/11/2024, 21:55
Behavioral task
behavioral1
Sample
pgxmuwgx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
pgxmuwgx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
pgxmuwgx.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
pgxmuwgx.exe
-
Size
3.3MB
-
MD5
2a548b249ee8db152f03a9b734eec566
-
SHA1
eeb6e62c5e3a3bd390773786f0ca33ee3f0dbccb
-
SHA256
467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
-
SHA512
0d8b122c8a389ee13dbd5e7600f70e5fa3a497fa9922ea627ffc77bc7517d57930ccbe3c9d89b91c07961244b890035b67380de06dedc1d257cd51ed7194a9e8
-
SSDEEP
98304:OK3G1lOQFDprOsrLjJwyHCdMHLbB50dF7+OXQ:OSGb9DJj/HWIHX0dc
Malware Config
Signatures
-
resource yara_rule behavioral3/memory/4192-0-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp upx behavioral3/memory/4192-33-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp upx behavioral3/memory/4192-35-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp upx -
pid Process 3396 powershell.exe 4232 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4232 powershell.exe 4232 powershell.exe 3396 powershell.exe 3396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 3396 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4192 wrote to memory of 768 4192 pgxmuwgx.exe 85 PID 4192 wrote to memory of 768 4192 pgxmuwgx.exe 85 PID 768 wrote to memory of 4432 768 cmd.exe 86 PID 768 wrote to memory of 4432 768 cmd.exe 86 PID 4192 wrote to memory of 4232 4192 pgxmuwgx.exe 87 PID 4192 wrote to memory of 4232 4192 pgxmuwgx.exe 87 PID 4192 wrote to memory of 3396 4192 pgxmuwgx.exe 89 PID 4192 wrote to memory of 3396 4192 pgxmuwgx.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=262⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\mode.commode con: cols=90 lines=263⤵PID:4432
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54e50615fbb2682d496773c1e3985a98e
SHA167413638787fdae9a8fb43c128811faf7dabc8ce
SHA256a13af49afd14efc8d114fbfd0ae7311482cd7af29c3d0cfc2b18be76c872bf94
SHA512852df909000e14c6e1c35bbff1602ddcf04756e17eee788cd1c78131e18e3b0f7034aa5b29e3c39957d667719956b3876fd001269e4fb9672a8db2e89ae8c79b
-
Filesize
1KB
MD51a3101f3c4c89b36ec469cee45b28487
SHA1c188454a1dcadcf103d53b4275f509165abd2088
SHA25662b50d6eb485d2b12f24bd64578560fbfc3b6fc97434682573fe3da44cb99f83
SHA512c44724cc276f3ad139857c40b7edf19e01eb0d1b2d66f1d8f74449ed3e2503fb1fff65984cba85b8f921f8bf96928cc7f3d194230720412eb731faff991ec959
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82