f6d1641642cebcdbef6bb2f110d0e3c6b592679d18f9dea71ac484c518417ea8

Analysis

max time kernel
134s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MLG.exe
Size

14.3MB
MD5

634728f2fe391f5369bf655cc7c2b482
SHA1

9da51bfb54343dc4d9220c3bb785dd2a1ea7c17e
SHA256

f6d1641642cebcdbef6bb2f110d0e3c6b592679d18f9dea71ac484c518417ea8
SHA512

07d0d3ec375e441e128bc9c5d2067f983bee1967e3075c3b76ddc5339ecccaf28fe2d626bb237ea2ba1aac475136c8be33a7e11a61286a70406fae95cf90e3ad
SSDEEP

393216:aKavQlk+mnzmCpyqR5i3YjjB1YOywzKKYADwCepixNcOtx:aFI+1h8qLnjzXDKKpECLx

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

MLG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	MLG.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MLG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\WallpaperStyle = "2"	MLG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\TileWallpaper = "0"	MLG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5064 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5064 AUDIODG.EXE

description	pid	process
Token: 33	5064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5064	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\MLG.exe
"C:\Users\Admin\AppData\Local\Temp\MLG.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:3644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3644-0-0x00007FFE7B953000-0x00007FFE7B955000-memory.dmp

Filesize
8KB

Download
memory/3644-1-0x0000022176120000-0x0000022176F78000-memory.dmp

Filesize
14.3MB

Download
memory/3644-2-0x00007FFE7B950000-0x00007FFE7C411000-memory.dmp

Filesize
10.8MB

Download
memory/3644-6-0x00007FFE7B950000-0x00007FFE7C411000-memory.dmp

Filesize
10.8MB

Download