Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-1wb9wayrcr
Target pgxmuwgx.exe
SHA256 467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
Tags
upx execution
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38

Threat Level: Likely benign

The file pgxmuwgx.exe was found to be: Likely benign.

Malicious Activity Summary

upx execution

UPX packed file

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:59

Reported

2024-11-10 21:59

Platform

win7-20240903-en

Max time kernel

0s

Max time network

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:59

Reported

2024-11-10 22:02

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26

C:\Windows\system32\mode.com

mode con: cols=90 lines=26

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3296-0-0x00007FF64ADE0000-0x00007FF64C463C27-memory.dmp

memory/2340-1-0x00007FFF162D3000-0x00007FFF162D5000-memory.dmp

memory/2340-2-0x000002857A740000-0x000002857A762000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02frxtrg.g4z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2340-12-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp

memory/2340-13-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp

memory/2340-14-0x000002857A890000-0x000002857A8A6000-memory.dmp

memory/2340-15-0x000002857A8B0000-0x000002857A8BA000-memory.dmp

memory/2340-16-0x000002857A920000-0x000002857A946000-memory.dmp

memory/2340-19-0x00007FFF162D0000-0x00007FFF16D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 958ec9d245aa0e4bd5d05bbdb37475f4
SHA1 80e6d2c6a85922cb83b9fea874320e9c53740bd9
SHA256 a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d
SHA512 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 97e363ea8f05ea610428fe99f37553a7
SHA1 c5ea634f8b8f188d37748e4fffcf673e2e14b9e8
SHA256 7048ebc7dc7ab6e327862c8b837c9c635e2f86bc14060692ea8924cf5e4ed6af
SHA512 ce57cd18a758199c14200d083e7e4abf3702fdcbd6a05c82123ba2ac1da429c06baadf36ddb3aba56057f2ecaa90848a9ed69930cc5ce9927b975c5600abd6e1

memory/3296-33-0x00007FF64ADE0000-0x00007FF64C463C27-memory.dmp