100b85a1e544ca868a5498cc88fb5d5f5775fa70bb336c87efa07528bc313271

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/MultiMC.exe
Size

8.8MB
MD5

27fd4c65dee0c42258cd7e9a1cee450c
SHA1

d828163498839dd77e5942651ae40a2af1685a98
SHA256

7a3e7741a2ec3f4204a077f43c5fce99dae5c282838e676430a1805220bee0da
SHA512

cde69f0750b32acd2d0587739f329dbc5f21c414b1ccdc0816fa9988c5f265d4ffb3e1ff1001f68c2bd1b73314acc03f06c084ff66b98491e5b19ae93a663b38
SSDEEP

196608:rZLga4oRHw4KeB3jHELNXUpBgq+iDsyPnYHGEWtPVlVPVqLJ1VZVVd5VLo8V8sVI:+a9JzjHL/QyVlVPVqLJ1VZVVd5VLo8Vu

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MultiMC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MultiMC.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

MultiMC.exe

pid process

4524 MultiMC.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MultiMC.exe

pid process

4524 MultiMC.exe
4524 MultiMC.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MultiMC.exe

pid process

4524 MultiMC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5000 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5000 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MultiMC.exe

pid process

4524 MultiMC.exe
4524 MultiMC.exe
4524 MultiMC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiMC.exe

pid	process
4524	MultiMC.exe

pid	process
4524	MultiMC.exe
4524	MultiMC.exe

pid	process
4524	MultiMC.exe

description	pid	process
Token: 33	5000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5000	AUDIODG.EXE

pid	process
4524	MultiMC.exe
4524	MultiMC.exe
4524	MultiMC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MultiMC.exe

description	pid	process	target process
PID 4524 wrote to memory of 1812	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 1812	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 4236	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 4236	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 3140	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 3140	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 4756	4524	MultiMC.exe	javaw.exe
PID 4524 wrote to memory of 4756	4524	MultiMC.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:1812

C:\Program Files\Java\jdk-1.8\bin\javaw.exe
"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:4236

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:3140

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -Xms512m -Xmx1024m -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:4756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
721af8b18d431982f56cfda685b788b0

SHA1
94abcab7e07074080eef6f0ed0fd4147f021c900

SHA256
dda7da3b17884d475008625c3a370a7274068e9d56627673a280075f3b85b930

SHA512
3e5ed5347d5f80bdf1428be960433e593a751246280b9dd283623bf57c4cd8ba08711efa02e0e887c555e167d7ce7a56ff68e1a97d9dcb9f6995f2c529537211

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
5b1b3d1f796d89e1be03ec5fee7be340

SHA1
ac04ae65256eeac9a8ffc833a350973d0d83c426

SHA256
764af5fef2e3f0badb4973f0cdbc0a82927089fa3d12b99b5837b1f4221ca558

SHA512
e029d5188841216f4c934b2f3461a930a4268883edd1f364fa6b4887203fa53088bc4af71cf2152d19d43e0c3882ad04d834ae26f919388fd6c0b0fad98e96e3

Download Submit
memory/4524-33-0x0000000061DC0000-0x0000000062404000-memory.dmp

Filesize
6.3MB

Download
memory/4524-7-0x0000000068881000-0x0000000068B29000-memory.dmp

Filesize
2.7MB

Download
memory/4524-6-0x0000000000400000-0x0000000000A23000-memory.dmp

Filesize
6.1MB

Download
memory/4524-35-0x0000000064940000-0x0000000064954000-memory.dmp

Filesize
80KB

Download
memory/4524-5-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/4524-34-0x000000006FC40000-0x000000006FD41000-memory.dmp

Filesize
1.0MB

Download
memory/4524-15-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-16-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-17-0x0000000004D50000-0x0000000004F62000-memory.dmp

Filesize
2.1MB

Download
memory/4524-19-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-36-0x00000000014F0000-0x0000000001A65000-memory.dmp

Filesize
5.5MB

Download
memory/4524-40-0x0000000004D50000-0x0000000004F62000-memory.dmp

Filesize
2.1MB

Download
memory/4524-39-0x000000006E600000-0x000000006E674000-memory.dmp

Filesize
464KB

Download
memory/4524-41-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-38-0x000000006A880000-0x000000006A9F6000-memory.dmp

Filesize
1.5MB

Download
memory/4524-37-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/4524-3-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/4524-2-0x00000000014F0000-0x0000000001A65000-memory.dmp

Filesize
5.5MB

Download
memory/4524-12-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-30-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-32-0x000000006E940000-0x000000006E964000-memory.dmp

Filesize
144KB

Download
memory/4524-31-0x0000000066C00000-0x0000000066C3E000-memory.dmp

Filesize
248KB

Download
memory/4524-29-0x0000000069700000-0x0000000069894000-memory.dmp

Filesize
1.6MB

Download
memory/4524-27-0x0000000063400000-0x0000000063415000-memory.dmp

Filesize
84KB

Download
memory/4524-28-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download
memory/4524-26-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/4524-25-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download
memory/4524-24-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/4524-23-0x0000000000400000-0x0000000000A23000-memory.dmp

Filesize
6.1MB

Download
memory/4524-49-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-55-0x00000000014F0000-0x0000000001A65000-memory.dmp

Filesize
5.5MB

Download
memory/4524-73-0x00000000014F0000-0x0000000001A65000-memory.dmp

Filesize
5.5MB

Download
memory/4524-67-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/4524-0-0x00000000014F0000-0x0000000001A65000-memory.dmp

Filesize
5.5MB

Download
memory/4524-4-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download