Overview
overview
6Static
static
mmc-stable...ws.zip
windows7-x64
6mmc-stable...ws.zip
windows10-2004-x64
1MultiMC/MultiMC.exe
windows7-x64
1MultiMC/MultiMC.exe
windows10-2004-x64
1MultiMC/Qt5Core.dll
windows7-x64
3MultiMC/Qt5Core.dll
windows10-2004-x64
3MultiMC/Qt5Gui.dll
windows7-x64
3MultiMC/Qt5Gui.dll
windows10-2004-x64
3MultiMC/Qt...rk.dll
windows7-x64
3MultiMC/Qt...rk.dll
windows10-2004-x64
3MultiMC/Qt5Svg.dll
windows7-x64
1MultiMC/Qt5Svg.dll
windows10-2004-x64
3MultiMC/Qt...ts.dll
windows7-x64
1MultiMC/Qt...ts.dll
windows10-2004-x64
3MultiMC/Qt5Xml.dll
windows7-x64
3MultiMC/Qt5Xml.dll
windows10-2004-x64
3MultiMC/ic...on.dll
windows7-x64
1MultiMC/ic...on.dll
windows10-2004-x64
1MultiMC/im...if.dll
windows7-x64
1MultiMC/im...if.dll
windows10-2004-x64
1MultiMC/im...ns.dll
windows7-x64
1MultiMC/im...ns.dll
windows10-2004-x64
1MultiMC/im...co.dll
windows7-x64
1MultiMC/im...co.dll
windows10-2004-x64
1MultiMC/im...eg.dll
windows7-x64
1MultiMC/im...eg.dll
windows10-2004-x64
1MultiMC/im...vg.dll
windows7-x64
1MultiMC/im...vg.dll
windows10-2004-x64
1MultiMC/im...mp.dll
windows7-x64
1MultiMC/im...mp.dll
windows10-2004-x64
1MultiMC/ja...ck.jar
windows7-x64
1MultiMC/ja...ck.jar
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 21:37
Static task
static1
Behavioral task
behavioral1
Sample
mmc-stable-windows.zip
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
mmc-stable-windows.zip
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
MultiMC/MultiMC.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
MultiMC/MultiMC.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
MultiMC/Qt5Core.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
MultiMC/Qt5Core.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
MultiMC/Qt5Gui.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
MultiMC/Qt5Gui.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
MultiMC/Qt5Network.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
MultiMC/Qt5Network.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
MultiMC/Qt5Svg.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
MultiMC/Qt5Svg.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
MultiMC/Qt5Widgets.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
MultiMC/Qt5Widgets.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
MultiMC/Qt5Xml.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
MultiMC/Qt5Xml.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
MultiMC/iconengines/qsvgicon.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
MultiMC/iconengines/qsvgicon.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
MultiMC/imageformats/qgif.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral20
Sample
MultiMC/imageformats/qgif.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
MultiMC/imageformats/qicns.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
MultiMC/imageformats/qicns.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
MultiMC/imageformats/qico.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
MultiMC/imageformats/qico.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
MultiMC/imageformats/qjpeg.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral26
Sample
MultiMC/imageformats/qjpeg.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
MultiMC/imageformats/qsvg.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
MultiMC/imageformats/qsvg.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
MultiMC/imageformats/qwbmp.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
MultiMC/imageformats/qwbmp.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
MultiMC/jars/JavaCheck.jar
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral32
Sample
MultiMC/jars/JavaCheck.jar
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
mmc-stable-windows.zip
-
Size
13.4MB
-
MD5
45373f75c382eca0c44cba6915d7f6b7
-
SHA1
34ed4532d48a8d58bb845f5c6a5927aaa260fab9
-
SHA256
2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
-
SHA512
34d27b7cc81f8f2ac4ff73c340e608f32dc8af16c899b17018c40305fd1cf1d7b75264f9b9a4ec79a1b74836eeea872bed25a99a7e57a2c5445b2cb7fa3aa1f8
-
SSDEEP
196608:9Zkgd/mcKTMG3GS6iw+7WLqB8114REWkcJXTkHAhWsWxCNqm567aQvsLB0Sqdpfz:Ay/mqG3GVinAqB818h6H/xRm56Wh9+V
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache firefox.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\mmc-stable-windows-1.zip:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 852 firefox.exe Token: SeDebugPrivilege 852 firefox.exe Token: SeDebugPrivilege 852 firefox.exe Token: 33 2536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2536 AUDIODG.EXE Token: 33 2536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2536 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 852 firefox.exe 852 firefox.exe 852 firefox.exe 852 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 852 firefox.exe 852 firefox.exe 852 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 852 firefox.exe 852 firefox.exe 852 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 1488 wrote to memory of 852 1488 firefox.exe 29 PID 852 wrote to memory of 1448 852 firefox.exe 31 PID 852 wrote to memory of 1448 852 firefox.exe 31 PID 852 wrote to memory of 1448 852 firefox.exe 31 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1652 852 firefox.exe 32 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33 PID 852 wrote to memory of 1928 852 firefox.exe 33
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-windows.zip1⤵PID:952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="852.0.1768169559\1115075827" -parentBuildID 20200403170909 -prefsHandle 1172 -prefMapHandle 1164 -prefsLen 1 -prefMapSize 219933 -appdir "C:\Program Files\Mozilla Firefox\browser" - 852 "\\.\pipe\gecko-crash-server-pipe.852" 1256 gpu3⤵PID:1448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="852.3.745460934\1920400097" -childID 1 -isForBrowser -prefsHandle 1584 -prefMapHandle 1576 -prefsLen 156 -prefMapSize 219933 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 852 "\\.\pipe\gecko-crash-server-pipe.852" 1556 tab3⤵PID:1652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="852.13.2062427168\818970426" -childID 2 -isForBrowser -prefsHandle 2608 -prefMapHandle 2604 -prefsLen 6938 -prefMapSize 219933 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 852 "\\.\pipe\gecko-crash-server-pipe.852" 2620 tab3⤵PID:1928
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5801⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536