163edff5aec2819e87bde2bbb4369bef309bc395aaf0e5610235152844967631

Analysis

max time kernel
114s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19-02-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/MultiMC.exe
Size

8.8MB
MD5

b140f2eddebb8f56f15148d64c762c2e
SHA1

966df1c26fc4f42657549cc35ce5012b9feb09ab
SHA256

798898fa1695d4144930e58d06529c76235248fd4912531224f57709e2b9466a
SHA512

e81588e459c9557e5b8b37d57b0b1b9b48b969b390891d7b709271c4161b1dcb3ed03b6210ec8a82a19047e27bab791804b243709369cbebefd5e045b4b7717c
SSDEEP

196608:F/cYoNpdLZMSv80t/HC+ReI3MhcdyyVfzxXz+5EoAT+SZpVJV0V8eJiVPVVOSBVs:+3XoM/H9FXz+6gkVJV0V8eJiVPVVOSBe

Score

1^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

MultiMC.exe

pid process

2756 MultiMC.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MultiMC.exe

pid process

2756 MultiMC.exe
2756 MultiMC.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MultiMC.exe

pid process

2756 MultiMC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1112 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1112 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MultiMC.exe

pid process

2756 MultiMC.exe
2756 MultiMC.exe
2756 MultiMC.exe

pid	process
2756	MultiMC.exe

pid	process
2756	MultiMC.exe
2756	MultiMC.exe

pid	process
2756	MultiMC.exe

description	pid	process
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE

pid	process
2756	MultiMC.exe
2756	MultiMC.exe
2756	MultiMC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MultiMC.exe

description	pid	process	target process
PID 2756 wrote to memory of 5112	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 5112	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 4876	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 4876	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 4452	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 4452	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 2456	2756	MultiMC.exe	javaw.exe
PID 2756 wrote to memory of 2456	2756	MultiMC.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
  2⤵
  PID:5112
- C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
  2⤵
  PID:4876
- C:\ProgramData\Oracle\Java\javapath\javaw.exe
  javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
  2⤵
  PID:4452
- C:\ProgramData\Oracle\Java\javapath\javaw.exe
  javaw -Xms512m -Xmx1024m -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
  2⤵
  PID:2456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
0810e5952f691632a5487d9fb78e416e

SHA1
d1b625bb51db741dfed7e0c0cf7ea798d906a5c3

SHA256
d12670ba295005f0d14fb13daff49d0c37e90dc192b75d1adbf1c21131329467

SHA512
eb1ac986a41b642c80a294f612a8042b11c3ddecb0a5f6efd6e90af8fd91a980844a5d46171bf2f8dcd63a53090c0cc983560f784275d0540c1a17292d71b0d5

Download Submit
memory/2456-186-0x0000000000000000-mapping.dmp

Download
memory/2756-146-0x0000000061DC0000-0x0000000062404000-memory.dmp

Filesize
6.3MB

Download
memory/2756-148-0x0000000005440000-0x0000000005652000-memory.dmp

Filesize
2.1MB

Download
memory/2756-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/2756-137-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download
memory/2756-139-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/2756-140-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/2756-141-0x00000000013B0000-0x0000000001493000-memory.dmp

Filesize
908KB

Download
memory/2756-142-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/2756-143-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download
memory/2756-144-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/2756-145-0x0000000063400000-0x0000000063415000-memory.dmp

Filesize
84KB

Download
memory/2756-132-0x00000000013B1000-0x0000000001776000-memory.dmp

Filesize
3.8MB

Download
memory/2756-147-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/2756-136-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/2756-150-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/2756-151-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/2756-152-0x0000000061DC0000-0x0000000062404000-memory.dmp

Filesize
6.3MB

Download
memory/2756-133-0x00000000013B0000-0x0000000001925000-memory.dmp

Filesize
5.5MB

Download
memory/2756-134-0x0000000001931000-0x0000000001933000-memory.dmp

Filesize
8KB

Download
memory/2756-135-0x00000000013B1000-0x00000000014EC000-memory.dmp

Filesize
1.2MB

Download
memory/2756-156-0x0000000006840000-0x0000000006851000-memory.dmp

Filesize
68KB

Download
memory/4452-155-0x0000000000000000-mapping.dmp

Download
memory/4876-154-0x0000000000000000-mapping.dmp

Download
memory/5112-185-0x0000000002990000-0x0000000003990000-memory.dmp

Filesize
16.0MB

Download
memory/5112-153-0x0000000000000000-mapping.dmp

Download
memory/5112-197-0x0000000002990000-0x0000000003990000-memory.dmp

Filesize
16.0MB

Download