Analysis
-
max time kernel
86s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07/05/2023, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
MCCToolChestPE_setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MCCToolChestPE_setup.exe
Resource
win10v2004-20230220-en
General
-
Target
MCCToolChestPE_setup.exe
-
Size
6.2MB
-
MD5
e5c04e6cb730a48c6a1b58d2fd1d629a
-
SHA1
e2afe69db249211dc52c0d1b5eb80e822403730a
-
SHA256
2f02500ad7fa0ab1e3062056fcd6a46e5d266b8ee3210b655cb01cf2d57d2ff3
-
SHA512
b657a9f3676ae568add200c88b4390abc7f5eea65635387447b861fe942e567c455fd39675d1e9ca25aa5236313a93fa2832457b1fdbf74a129f38ff434747d0
-
SSDEEP
196608:Ulq+1Ns/OYAghysoBQ4i5GuwIAmQChv3c:gxghyH25AFoE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 772 MCCToolChestPE.exe -
Loads dropped DLL 1 IoCs
pid Process 1224 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe -
Drops file in Program Files directory 29 IoCs
description ioc Process File created C:\Program Files (x86)\MCCToolChestPE\support\Beds.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\items.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe.config msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\NBTExplorerWrapper.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\Substrate.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\NBTExplorer_LICENSE.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\Skulls.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\blocks.json msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\LevelDB-MCPE-32.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\blockStates.json msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\leveldb_LICENSE.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\XboxChest.ico msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\BannerPatterns.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\mobs.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\FastColoredTextBox.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\Interop.PortableDeviceApiLib.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\License.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\items.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\professions.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\BlockID.json msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\NAppUpdate.Framework.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\NBTModel.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\blocks.png msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\ClearScript.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\Interop.PortableDeviceTypesLib.dll msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\blocks.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\support\Copy of items.txt msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe msiexec.exe File created C:\Program Files (x86)\MCCToolChestPE\LevelDB-MCPE-64.dll msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe msiexec.exe File opened for modification C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut111_DAC57BF2C49E41C2BBFDF8CEDD876154.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI826B.tmp msiexec.exe File created C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut111_DAC57BF2C49E41C2BBFDF8CEDD876154.exe msiexec.exe File created C:\Windows\Installer\6c7d1e.ipi msiexec.exe File created C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\UNINST_Uninstall_M_EF66624CBFDE44758725E543AE623984.exe msiexec.exe File created C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut1_21B1AF1EAD27490E8F54A4506A2F26FE.exe msiexec.exe File opened for modification C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\UNINST_Uninstall_M_EF66624CBFDE44758725E543AE623984.exe msiexec.exe File created C:\Windows\Installer\6c7d20.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI7E93.tmp msiexec.exe File opened for modification C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut1_21B1AF1EAD27490E8F54A4506A2F26FE.exe msiexec.exe File created C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe msiexec.exe File opened for modification C:\Windows\Installer\6c7d1e.ipi msiexec.exe File created C:\Windows\Installer\6c7d1d.msi msiexec.exe File opened for modification C:\Windows\Installer\6c7d1d.msi msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 628 772 WerFault.exe 31 -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5FBC63902C462FB498C56BA03F0956D5\5B54D228927B115498767241EC16B1D8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\ClearScript,Version="5.6.0.0",Culture="neutral",FileVersion="5.6.0.0",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00470040002b00570048006b00260037003d00390029002a002700590061004b00720049007e00710000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\Substrate,Version="1.3.8.0",Culture="neutral",FileVersion="1.3.8.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00480031002a002d006500340053006d00460032006d0059005d00730048004c00300049007200510000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\NAppUpdate.Framework,Version="0.1.0.0",Culture="neutral",FileVersion="0.1.0.0",ProcessorArchitecture="MSIL",PublicKeyToken="D1F1D1F19F9E5A56" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e005d007100520065006f005a0028002d0065002b00440063006a0026002a0046003d0025005100400000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B54D228927B115498767241EC16B1D8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\ProductName = "MCC Tool Chest PE" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\PackageCode = "EAFFABA8CE806504F8564944BF664B69" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5FBC63902C462FB498C56BA03F0956D5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\NBTExplorerWrapper,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e0026002700650068006f005800370079002b007a0074006b00450054007300470066007a005100730000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B54D228927B115498767241EC16B1D8\AlwaysInstall msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\Interop.PortableDeviceApiLib,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e004f00440060005d00270045006e006e0037003f004100760066002a0046004500670043003800240000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Version = "100" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\FastColoredTextBox,Version="2.16.24.0",Culture="neutral",FileVersion="2.16.24.0",ProcessorArchitecture="MSIL",PublicKeyToken="FB8AA12B994EF61B" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00600040004e004300500027004b002d004b004c00270045004f0054005f00550043004b005a005a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\Interop.PortableDeviceTypesLib,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e0060002c00490031005b00380038002e0059006b0079005d005f0035004d0059002e007b005b00370000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\ProductIcon = "C:\\Windows\\Installer\\{822D45B5-B729-4511-8967-2714CE611B8D}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\NBTModel,Version="1.1.0.0",Culture="neutral",FileVersion="1.1.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e005200780046006f0071005a004900750076002a004d0027006c004a0030004e004f0052005e005e0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|MCCToolChestPE|MCCToolChestPE.exe\MCCToolChestPE,Version="0.1.1.7",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00560077003f005b0042002900400027005600410054004300540045005d002a0037004a003800370000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\PackageName = "MCC Tool Chest PE.msi" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 876 msiexec.exe 876 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1772 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1772 MSIEXEC.EXE Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeSecurityPrivilege 876 msiexec.exe Token: SeCreateTokenPrivilege 1772 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1772 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1772 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1772 MSIEXEC.EXE Token: SeMachineAccountPrivilege 1772 MSIEXEC.EXE Token: SeTcbPrivilege 1772 MSIEXEC.EXE Token: SeSecurityPrivilege 1772 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 1772 MSIEXEC.EXE Token: SeLoadDriverPrivilege 1772 MSIEXEC.EXE Token: SeSystemProfilePrivilege 1772 MSIEXEC.EXE Token: SeSystemtimePrivilege 1772 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 1772 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 1772 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 1772 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 1772 MSIEXEC.EXE Token: SeBackupPrivilege 1772 MSIEXEC.EXE Token: SeRestorePrivilege 1772 MSIEXEC.EXE Token: SeShutdownPrivilege 1772 MSIEXEC.EXE Token: SeDebugPrivilege 1772 MSIEXEC.EXE Token: SeAuditPrivilege 1772 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 1772 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 1772 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 1772 MSIEXEC.EXE Token: SeUndockPrivilege 1772 MSIEXEC.EXE Token: SeSyncAgentPrivilege 1772 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 1772 MSIEXEC.EXE Token: SeManageVolumePrivilege 1772 MSIEXEC.EXE Token: SeImpersonatePrivilege 1772 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 1772 MSIEXEC.EXE Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1772 MSIEXEC.EXE 1772 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 2016 wrote to memory of 1772 2016 MCCToolChestPE_setup.exe 27 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 876 wrote to memory of 1224 876 msiexec.exe 29 PID 772 wrote to memory of 628 772 MCCToolChestPE.exe 32 PID 772 wrote to memory of 628 772 MCCToolChestPE.exe 32 PID 772 wrote to memory of 628 772 MCCToolChestPE.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe"C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="MCCToolChestPE_setup.exe"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1772
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B7D0DC99DBBA595624E915129F5751492⤵
- Loads dropped DLL
PID:1224
-
-
C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe"C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 772 -s 10042⤵
- Program crash
PID:628
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD566a4c5d2d6795b8ba8d9faa4006b5f4a
SHA14413b8036cc6eaeb427b7d2f769ac686938f9dc7
SHA2567442341d83af55ff9f4de3950be200528d67edb6c1382a4af5da720e899503d4
SHA5124558e09dc1d742d162c78ab3ee342a984fae0be7002af15531570b8639051342b88414aa4ed8498cb19103220354ae423d88eed0a6ff4a6e32a56d71c9bd3001
-
Filesize
2.6MB
MD549b1f0e4f0b4805e82b00af69154b3d6
SHA12a822a891639765047d538e0da06627288feef93
SHA25656b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49
SHA5122084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4
-
Filesize
2.6MB
MD549b1f0e4f0b4805e82b00af69154b3d6
SHA12a822a891639765047d538e0da06627288feef93
SHA25656b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49
SHA5122084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4
-
Filesize
4KB
MD593fa874786e0664e83e5f5f281c9450b
SHA13b18fcf0e29b37fbb36ab1cbae38cb195767ea6e
SHA256006e8c9344fd0ebd775c9b6aaf62ce03fb5eb732ee7ac9bfa471b5b548dcf711
SHA512ff77212a07b19a8a7318e00bd4867fe36c3d01193fe43d15c5716186110453fd76be4cd6d27f17f4edcec1d11531d29d95bf43470a247bf37c8533fbbb2789a6
-
Filesize
332KB
MD53d72c6fe50394518ffc0d456db590d77
SHA18607f4607ed85fc907cd5f7a284f393f5e73a0ae
SHA25665c7848bf1ae76538302be55b45ab5ed71c28cd31c3097c86998646babbff046
SHA512bf760f17c42792e04bf3ff51eba40c242656f3cc9308f86bd499093c5bd9e7697e786eee5daf2813701015d360c4e58987d92660455f719befe7ea8d85967d99
-
Filesize
58KB
MD5ba41b85b57019ffe634219abe174997c
SHA1fad7871754efb1099655f5cb125849f297ae2b97
SHA2569d069e0622a7f000557668517b80845386ad426f7617d12eb06f952f9a4e2841
SHA51208a23546b8264e958be0cc6cd3b2ab86177f0eb9376d7ab525ce9d82a63ea2b4c373436375782f322c71fdb003729d554547a99f878d389d8ecb411d6185c1f9
-
Filesize
363KB
MD57a51e950f86cb07b9f1c71bba26a302d
SHA1f5a7da3c0c3240c9f57bd0fc516d78615dff3f62
SHA2567fc98ca281c83cbeae3ca37565070c1345b7e8e9a4f17c56073ec51a1288532f
SHA5120bc44361ac7c5e70b46f77dd848c18ebaed44cf0b5c68f748cc0fe31d8b79ee04d21780e387af5fb11aa89dfb8a69657fe57bb53bfc6013e24820289bfd8017c
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi
Filesize6.7MB
MD5074d2f15bb96df82ea1fb6367fe1f59e
SHA1460fe98e626cb5fa709bd2b4a3bda14e572ac087
SHA256a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6
SHA512935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi
Filesize6.7MB
MD5074d2f15bb96df82ea1fb6367fe1f59e
SHA1460fe98e626cb5fa709bd2b4a3bda14e572ac087
SHA256a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6
SHA512935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096
-
Filesize
21KB
MD58586214463bd73e1c2716113e5bd3e13
SHA1f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
5KB
MD58d3f2e929678b79b1ed7be4f55e9da08
SHA14e0fdd92a3111f83e09d85f1ed3d747476a73044
SHA25649b323662e5e19e1fdc1aff722209d31e65d101de5d2c94073dcdb096398b697
SHA512e059bf8fa57884c57e2fa0b717f3b275fb847ef57cf4ff41f3731a9ee78b43e9ab87829e9ef4a94dd466c4c851a6037895b5aaff140c3a8ae59dcae8edbd355c
-
Filesize
105KB
MD529e4cb02681bf0780985a429b48903ca
SHA1474acf63ad259fa06164916259a40ffe8909f622
SHA2563dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0
SHA5125c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1
-
C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe
Filesize420KB
MD5d2ec0df6505475d81c2f14195d8c2691
SHA1dcee54e61a1f5f4d3332fb5a0cb6e7d0736f56f5
SHA256ac5165771b8f8b6f941fa24e25420419fb6c15f7ac75b63c5917f4067ab94bc4
SHA51299254efca91a0f39f0f83f170f25f650be89c8475be80722a47233c3a0ab3733bcb85277d75d05fb837e678c5aa6b2b7357321330686416be4ddb81a33da6dc5
-
Filesize
105KB
MD529e4cb02681bf0780985a429b48903ca
SHA1474acf63ad259fa06164916259a40ffe8909f622
SHA2563dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0
SHA5125c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1