100b85a1e544ca868a5498cc88fb5d5f5775fa70bb336c87efa07528bc313271

Analysis

max time kernel
213s
max time network
217s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22-08-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/MultiMC.exe
Size

8.8MB
MD5

27fd4c65dee0c42258cd7e9a1cee450c
SHA1

d828163498839dd77e5942651ae40a2af1685a98
SHA256

7a3e7741a2ec3f4204a077f43c5fce99dae5c282838e676430a1805220bee0da
SHA512

cde69f0750b32acd2d0587739f329dbc5f21c414b1ccdc0816fa9988c5f265d4ffb3e1ff1001f68c2bd1b73314acc03f06c084ff66b98491e5b19ae93a663b38
SSDEEP

196608:rZLga4oRHw4KeB3jHELNXUpBgq+iDsyPnYHGEWtPVlVPVqLJ1VZVVd5VLo8V8sVI:+a9JzjHL/QyVlVPVqLJ1VZVVd5VLo8Vu

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MultiMC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MultiMC.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

MultiMC.exe

pid process

3124 MultiMC.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MultiMC.exe

pid process

3124 MultiMC.exe
3124 MultiMC.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MultiMC.exe

pid process

3124 MultiMC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 792 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 792 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MultiMC.exe

pid process

3124 MultiMC.exe
3124 MultiMC.exe
3124 MultiMC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiMC.exe

pid	process
3124	MultiMC.exe

pid	process
3124	MultiMC.exe
3124	MultiMC.exe

pid	process
3124	MultiMC.exe

description	pid	process
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE

pid	process
3124	MultiMC.exe
3124	MultiMC.exe
3124	MultiMC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MultiMC.exe

description	pid	process	target process
PID 3124 wrote to memory of 1100	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 1100	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 496	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 496	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 1044	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 1044	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 976	3124	MultiMC.exe	javaw.exe
PID 3124 wrote to memory of 976	3124	MultiMC.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:1100

C:\Program Files\Java\jdk-1.8\bin\javaw.exe
"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:496

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:1044

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -Xms512m -Xmx1024m -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
2⤵
PID:976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
5f29779514f517d51653c2df002f4723

SHA1
c9e58d70a41ba1122f4de013bde4ea1f24c13259

SHA256
2f066a7a9888a0238df401159f44513ab95f2538175c45dd98913541031092cf

SHA512
1e2ee826651fc5e37bc86e9c95b21d44f90575927543fd78cb451c0c904aec48d8d7ff273f472e2daf2fef5843f873cc804feae3cb4830e05737bc3d00251b83

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MultiMC\translations\index_v2.json
Filesize
15KB

MD5
78e5bfefc547cc05a3a79e738310c4be

SHA1
61fe877f878f0ab410904927dfbfa17b451bce5c

SHA256
0fec483153f5e18a4de781de16ed2638b3fe6acf2de595e4c3adfd852c2aae68

SHA512
776c142eb0dd23614fd24e4e0b26b339f6bb07488ed0f470f35e21047e207c569b845c1116b87c9424752b3e48ab28f7e16e3fcdda60fb1bcef410db666695bb

Download Submit
memory/3124-35-0x0000000066C00000-0x0000000066C3E000-memory.dmp

Filesize
248KB

Download
memory/3124-4-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download
memory/3124-34-0x0000000064940000-0x0000000064954000-memory.dmp

Filesize
80KB

Download
memory/3124-8-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-7-0x0000000068881000-0x0000000068B29000-memory.dmp

Filesize
2.7MB

Download
memory/3124-15-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-16-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-17-0x0000000004D50000-0x0000000004F62000-memory.dmp

Filesize
2.1MB

Download
memory/3124-19-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-20-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-24-0x0000000068880000-0x0000000068DAF000-memory.dmp

Filesize
5.2MB

Download
memory/3124-40-0x000000006A880000-0x000000006A9F6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-39-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/3124-0-0x0000000001500000-0x0000000001A75000-memory.dmp

Filesize
5.5MB

Download
memory/3124-6-0x0000000000400000-0x0000000000A23000-memory.dmp

Filesize
6.1MB

Download
memory/3124-25-0x0000000000400000-0x0000000000A23000-memory.dmp

Filesize
6.1MB

Download
memory/3124-2-0x0000000001500000-0x0000000001A75000-memory.dmp

Filesize
5.5MB

Download
memory/3124-42-0x0000000004D50000-0x0000000004F62000-memory.dmp

Filesize
2.1MB

Download
memory/3124-30-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download
memory/3124-41-0x000000006E600000-0x000000006E674000-memory.dmp

Filesize
464KB

Download
memory/3124-38-0x0000000001500000-0x0000000001A75000-memory.dmp

Filesize
5.5MB

Download
memory/3124-37-0x000000006FC40000-0x000000006FD41000-memory.dmp

Filesize
1.0MB

Download
memory/3124-36-0x000000006E940000-0x000000006E964000-memory.dmp

Filesize
144KB

Download
memory/3124-33-0x0000000061DC0000-0x0000000062404000-memory.dmp

Filesize
6.3MB

Download
memory/3124-29-0x0000000063400000-0x0000000063415000-memory.dmp

Filesize
84KB

Download
memory/3124-28-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/3124-27-0x0000000061740000-0x0000000061771000-memory.dmp

Filesize
196KB

Download
memory/3124-26-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/3124-3-0x0000000070940000-0x000000007095C000-memory.dmp

Filesize
112KB

Download
memory/3124-5-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Filesize
252KB

Download
memory/3124-32-0x0000000069700000-0x0000000069894000-memory.dmp

Filesize
1.6MB

Download