Analysis Overview
SHA256
467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
Threat Level: Likely benign
The file pgxmuwgx.exe was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:59
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:59
Reported
2024-11-10 21:59
Platform
win7-20240903-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 21:59
Reported
2024-11-10 22:02
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
139s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe
"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
C:\Windows\system32\mode.com
mode con: cols=90 lines=26
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3296-0-0x00007FF64ADE0000-0x00007FF64C463C27-memory.dmp
memory/2340-1-0x00007FFF162D3000-0x00007FFF162D5000-memory.dmp
memory/2340-2-0x000002857A740000-0x000002857A762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02frxtrg.g4z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2340-12-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp
memory/2340-13-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp
memory/2340-14-0x000002857A890000-0x000002857A8A6000-memory.dmp
memory/2340-15-0x000002857A8B0000-0x000002857A8BA000-memory.dmp
memory/2340-16-0x000002857A920000-0x000002857A946000-memory.dmp
memory/2340-19-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 958ec9d245aa0e4bd5d05bbdb37475f4 |
| SHA1 | 80e6d2c6a85922cb83b9fea874320e9c53740bd9 |
| SHA256 | a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d |
| SHA512 | 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 97e363ea8f05ea610428fe99f37553a7 |
| SHA1 | c5ea634f8b8f188d37748e4fffcf673e2e14b9e8 |
| SHA256 | 7048ebc7dc7ab6e327862c8b837c9c635e2f86bc14060692ea8924cf5e4ed6af |
| SHA512 | ce57cd18a758199c14200d083e7e4abf3702fdcbd6a05c82123ba2ac1da429c06baadf36ddb3aba56057f2ecaa90848a9ed69930cc5ce9927b975c5600abd6e1 |
memory/3296-33-0x00007FF64ADE0000-0x00007FF64C463C27-memory.dmp