Analysis Overview
SHA256
2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Threat Level: No (potentially) malicious behavior was detected
The file mmc-stable-win32.zip was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-01-05 22:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-05 22:19
Reported
2023-01-05 22:22
Platform
win7-20220901-en
Max time kernel
44s
Max time network
49s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
Network
Files
memory/1896-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
memory/1896-55-0x0000000000330000-0x0000000000348000-memory.dmp
memory/1896-56-0x0000000000BC0000-0x0000000001204000-memory.dmp
memory/1896-58-0x0000000070940000-0x000000007095C000-memory.dmp
memory/1896-59-0x0000000061740000-0x0000000061771000-memory.dmp
memory/1896-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/1896-61-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/1896-62-0x0000000070940000-0x000000007095C000-memory.dmp
memory/1896-63-0x0000000061740000-0x0000000061771000-memory.dmp
memory/1896-64-0x0000000061940000-0x0000000061EB5000-memory.dmp
memory/1896-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/1896-66-0x0000000063400000-0x0000000063415000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-05 22:19
Reported
2023-01-05 22:22
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4624 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4624 wrote to memory of 740 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe |
| PID 4624 wrote to memory of 740 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe |
| PID 4624 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\ProgramData\Oracle\Java\javapath\javaw.exe |
| PID 4624 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\ProgramData\Oracle\Java\javapath\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a0
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 8.8.8.8:53 | files.multimc.org | udp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 8.8.8.8:53 | multimc.org | udp |
| N/A | 104.21.39.176:443 | multimc.org | tcp |
| N/A | 172.67.147.103:80 | multimc.org | tcp |
| N/A | 8.8.8.8:53 | login.microsoftonline.com | udp |
| N/A | 40.126.32.134:443 | login.microsoftonline.com | tcp |
| N/A | 8.8.8.8:53 | meta.multimc.org | udp |
| N/A | 172.67.147.103:443 | meta.multimc.org | tcp |
Files
memory/4624-132-0x0000000001420000-0x0000000001995000-memory.dmp
memory/4624-134-0x0000000000171000-0x0000000000173000-memory.dmp
memory/4624-135-0x0000000001420000-0x0000000001995000-memory.dmp
memory/4624-136-0x0000000070940000-0x000000007095C000-memory.dmp
memory/4624-137-0x0000000061740000-0x0000000061771000-memory.dmp
memory/4624-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/4624-139-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/4624-140-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4624-141-0x0000000001420000-0x0000000001995000-memory.dmp
memory/4624-142-0x0000000070940000-0x000000007095C000-memory.dmp
memory/4624-143-0x0000000061740000-0x0000000061771000-memory.dmp
memory/4624-144-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/4624-145-0x0000000063400000-0x0000000063415000-memory.dmp
memory/4624-146-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/4624-147-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/4624-148-0x00000000053F0000-0x0000000005602000-memory.dmp
memory/3172-150-0x0000000000000000-mapping.dmp
memory/740-151-0x0000000000000000-mapping.dmp
memory/3760-152-0x0000000000000000-mapping.dmp
memory/4624-153-0x0000000006800000-0x0000000006811000-memory.dmp
memory/740-169-0x0000000003030000-0x0000000004030000-memory.dmp
memory/4624-170-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4624-172-0x0000000070940000-0x000000007095C000-memory.dmp
memory/4624-173-0x0000000061740000-0x0000000061771000-memory.dmp
memory/4624-171-0x0000000001420000-0x0000000001995000-memory.dmp
memory/4624-174-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/740-175-0x0000000003030000-0x0000000004030000-memory.dmp
memory/4624-176-0x00000000000D0000-0x00000000000E0000-memory.dmp
memory/4624-177-0x00000000000D0000-0x00000000000E0000-memory.dmp