Malware Analysis Report

2025-01-02 11:58

Sample ID 230105-18qm2ade27
Target mmc-stable-win32.zip
SHA256 2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e

Threat Level: No (potentially) malicious behavior was detected

The file mmc-stable-win32.zip was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-05 22:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-05 22:19

Reported

2023-01-05 22:22

Platform

win7-20220901-en

Max time kernel

44s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Network

N/A

Files

memory/1896-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

memory/1896-55-0x0000000000330000-0x0000000000348000-memory.dmp

memory/1896-56-0x0000000000BC0000-0x0000000001204000-memory.dmp

memory/1896-58-0x0000000070940000-0x000000007095C000-memory.dmp

memory/1896-59-0x0000000061740000-0x0000000061771000-memory.dmp

memory/1896-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/1896-61-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/1896-62-0x0000000070940000-0x000000007095C000-memory.dmp

memory/1896-63-0x0000000061740000-0x0000000061771000-memory.dmp

memory/1896-64-0x0000000061940000-0x0000000061EB5000-memory.dmp

memory/1896-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/1896-66-0x0000000063400000-0x0000000063415000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-05 22:19

Reported

2023-01-05 22:22

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\ProgramData\Oracle\Java\javapath\javaw.exe

javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a0

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.8.8.8:53 files.multimc.org udp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 51.132.193.104:443 tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 8.8.8.8:53 multimc.org udp
N/A 104.21.39.176:443 multimc.org tcp
N/A 172.67.147.103:80 multimc.org tcp
N/A 8.8.8.8:53 login.microsoftonline.com udp
N/A 40.126.32.134:443 login.microsoftonline.com tcp
N/A 8.8.8.8:53 meta.multimc.org udp
N/A 172.67.147.103:443 meta.multimc.org tcp

Files

memory/4624-132-0x0000000001420000-0x0000000001995000-memory.dmp

memory/4624-134-0x0000000000171000-0x0000000000173000-memory.dmp

memory/4624-135-0x0000000001420000-0x0000000001995000-memory.dmp

memory/4624-136-0x0000000070940000-0x000000007095C000-memory.dmp

memory/4624-137-0x0000000061740000-0x0000000061771000-memory.dmp

memory/4624-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/4624-139-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/4624-140-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4624-141-0x0000000001420000-0x0000000001995000-memory.dmp

memory/4624-142-0x0000000070940000-0x000000007095C000-memory.dmp

memory/4624-143-0x0000000061740000-0x0000000061771000-memory.dmp

memory/4624-144-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/4624-145-0x0000000063400000-0x0000000063415000-memory.dmp

memory/4624-146-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/4624-147-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/4624-148-0x00000000053F0000-0x0000000005602000-memory.dmp

memory/3172-150-0x0000000000000000-mapping.dmp

memory/740-151-0x0000000000000000-mapping.dmp

memory/3760-152-0x0000000000000000-mapping.dmp

memory/4624-153-0x0000000006800000-0x0000000006811000-memory.dmp

memory/740-169-0x0000000003030000-0x0000000004030000-memory.dmp

memory/4624-170-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4624-172-0x0000000070940000-0x000000007095C000-memory.dmp

memory/4624-173-0x0000000061740000-0x0000000061771000-memory.dmp

memory/4624-171-0x0000000001420000-0x0000000001995000-memory.dmp

memory/4624-174-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/740-175-0x0000000003030000-0x0000000004030000-memory.dmp

memory/4624-176-0x00000000000D0000-0x00000000000E0000-memory.dmp

memory/4624-177-0x00000000000D0000-0x00000000000E0000-memory.dmp