Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/11/2024, 21:55

General

  • Target

    pgxmuwgx.exe

  • Size

    3.3MB

  • MD5

    2a548b249ee8db152f03a9b734eec566

  • SHA1

    eeb6e62c5e3a3bd390773786f0ca33ee3f0dbccb

  • SHA256

    467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38

  • SHA512

    0d8b122c8a389ee13dbd5e7600f70e5fa3a497fa9922ea627ffc77bc7517d57930ccbe3c9d89b91c07961244b890035b67380de06dedc1d257cd51ed7194a9e8

  • SSDEEP

    98304:OK3G1lOQFDprOsrLjJwyHCdMHLbB50dF7+OXQ:OSGb9DJj/HWIHX0dc

Score
5/10

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe
    "C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\system32\mode.com
        mode con: cols=90 lines=26
        3⤵
          PID:1208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5040

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            c4004e022f299839235e0b9b9eff21cb

            SHA1

            53cb70317be1181667d198f11bb38c5283fdf604

            SHA256

            b0520284a49198908379c3bce330cb4428559866de87e5a5cfb6eac510605a5f

            SHA512

            5190c53fa27055789d6cc66dd3b1f822aa7a1c75b27a568c3f354d743531efe5ec0f9fb88fe83a5253250201646524d783d75fc1c25cf8160d80090455f7fa89

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            7d11fdb1cefb8bc8e6c7d4c0b8a4f486

            SHA1

            51f70797f2fddd0817f14057f4818c5875be9057

            SHA256

            30da8122353bf6033e7e90b037c11c053739cb61f46eb89d552ddea152637331

            SHA512

            1ab45860498b90f09bd438dc907dc7933e180268cb5198767ffc6faf1de661199dd7933c714e3180476bd65cd9af386f45ae5cd7f0075ed425c0263b63838601

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxvqjziz.ncr.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/3488-13-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

            Filesize

            10.8MB

          • memory/3488-10-0x000001CDE2EC0000-0x000001CDE2EE2000-memory.dmp

            Filesize

            136KB

          • memory/3488-12-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

            Filesize

            10.8MB

          • memory/3488-14-0x000001CDE3060000-0x000001CDE307C000-memory.dmp

            Filesize

            112KB

          • memory/3488-15-0x000001CDE3050000-0x000001CDE305A000-memory.dmp

            Filesize

            40KB

          • memory/3488-16-0x000001CDE3470000-0x000001CDE3496000-memory.dmp

            Filesize

            152KB

          • memory/3488-19-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

            Filesize

            10.8MB

          • memory/3488-11-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

            Filesize

            10.8MB

          • memory/3488-1-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

            Filesize

            8KB

          • memory/3540-0-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp

            Filesize

            22.5MB

          • memory/3540-32-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp

            Filesize

            22.5MB