Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/11/2024, 21:55
Behavioral task
behavioral1
Sample
pgxmuwgx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
pgxmuwgx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
pgxmuwgx.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
pgxmuwgx.exe
-
Size
3.3MB
-
MD5
2a548b249ee8db152f03a9b734eec566
-
SHA1
eeb6e62c5e3a3bd390773786f0ca33ee3f0dbccb
-
SHA256
467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
-
SHA512
0d8b122c8a389ee13dbd5e7600f70e5fa3a497fa9922ea627ffc77bc7517d57930ccbe3c9d89b91c07961244b890035b67380de06dedc1d257cd51ed7194a9e8
-
SSDEEP
98304:OK3G1lOQFDprOsrLjJwyHCdMHLbB50dF7+OXQ:OSGb9DJj/HWIHX0dc
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/3540-0-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp upx behavioral4/memory/3540-32-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp upx -
pid Process 3488 powershell.exe 5040 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3488 powershell.exe 3488 powershell.exe 5040 powershell.exe 5040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3540 wrote to memory of 3460 3540 pgxmuwgx.exe 80 PID 3540 wrote to memory of 3460 3540 pgxmuwgx.exe 80 PID 3460 wrote to memory of 1208 3460 cmd.exe 81 PID 3460 wrote to memory of 1208 3460 cmd.exe 81 PID 3540 wrote to memory of 3488 3540 pgxmuwgx.exe 82 PID 3540 wrote to memory of 3488 3540 pgxmuwgx.exe 82 PID 3540 wrote to memory of 5040 3540 pgxmuwgx.exe 84 PID 3540 wrote to memory of 5040 3540 pgxmuwgx.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=262⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\mode.commode con: cols=90 lines=263⤵PID:1208
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c4004e022f299839235e0b9b9eff21cb
SHA153cb70317be1181667d198f11bb38c5283fdf604
SHA256b0520284a49198908379c3bce330cb4428559866de87e5a5cfb6eac510605a5f
SHA5125190c53fa27055789d6cc66dd3b1f822aa7a1c75b27a568c3f354d743531efe5ec0f9fb88fe83a5253250201646524d783d75fc1c25cf8160d80090455f7fa89
-
Filesize
1KB
MD57d11fdb1cefb8bc8e6c7d4c0b8a4f486
SHA151f70797f2fddd0817f14057f4818c5875be9057
SHA25630da8122353bf6033e7e90b037c11c053739cb61f46eb89d552ddea152637331
SHA5121ab45860498b90f09bd438dc907dc7933e180268cb5198767ffc6faf1de661199dd7933c714e3180476bd65cd9af386f45ae5cd7f0075ed425c0263b63838601
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82