85c9b01515c4f19f797d8753d7187f463b3c742012bd22d3ea84c222ea7f5a76

Analysis

max time kernel
70s
max time network
83s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2023, 06:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/libLauncher_nbt++.dll.a
Size

149KB
MD5

d33b558ef7bd4d8617686ba972d581eb
SHA1

962320c340596f5e91d05453a2ee3047d687f563
SHA256

41d0787573ac821be0ce45bcaddc77440a1bb1b9cb077b3c86c39b75b1404b11
SHA512

78d633527999e39f810a619d1a7935455631911cc020a75d05718748d2a511f2a01489fa05d3ff8611abde14d9e66beb96d3f514222e5ba95b800a20c8bd5b0a
SSDEEP

768:DPr973mNxRtPpcfyqL/8Jm3dW0aNfGannAcDutKuKTDGhi4DvA492TSAiAiTHT41:Dr973mP9aKrcRZBgEoo57vYmu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MultiMC\libLauncher_nbt++.dll.a
1⤵
- Modifies registry class
PID:836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2364

Network

DNS

f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa

Remote address:

8.8.8.8:53

Request

f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.