Analysis

  • max time kernel
    86s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2023, 23:46

General

  • Target

    MCCToolChestPE_setup.exe

  • Size

    6.2MB

  • MD5

    e5c04e6cb730a48c6a1b58d2fd1d629a

  • SHA1

    e2afe69db249211dc52c0d1b5eb80e822403730a

  • SHA256

    2f02500ad7fa0ab1e3062056fcd6a46e5d266b8ee3210b655cb01cf2d57d2ff3

  • SHA512

    b657a9f3676ae568add200c88b4390abc7f5eea65635387447b861fe942e567c455fd39675d1e9ca25aa5236313a93fa2832457b1fdbf74a129f38ff434747d0

  • SSDEEP

    196608:Ulq+1Ns/OYAghysoBQ4i5GuwIAmQChv3c:gxghyH25AFoE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 18 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\MSIEXEC.EXE
      MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="MCCToolChestPE_setup.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1772
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B7D0DC99DBBA595624E915129F575149
      2⤵
      • Loads dropped DLL
      PID:1224
  • C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe
    "C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 772 -s 1004
      2⤵
      • Program crash
      PID:628

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\6c7d1f.rbs

          Filesize

          17KB

          MD5

          66a4c5d2d6795b8ba8d9faa4006b5f4a

          SHA1

          4413b8036cc6eaeb427b7d2f769ac686938f9dc7

          SHA256

          7442341d83af55ff9f4de3950be200528d67edb6c1382a4af5da720e899503d4

          SHA512

          4558e09dc1d742d162c78ab3ee342a984fae0be7002af15531570b8639051342b88414aa4ed8498cb19103220354ae423d88eed0a6ff4a6e32a56d71c9bd3001

        • C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe

          Filesize

          2.6MB

          MD5

          49b1f0e4f0b4805e82b00af69154b3d6

          SHA1

          2a822a891639765047d538e0da06627288feef93

          SHA256

          56b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49

          SHA512

          2084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4

        • C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe

          Filesize

          2.6MB

          MD5

          49b1f0e4f0b4805e82b00af69154b3d6

          SHA1

          2a822a891639765047d538e0da06627288feef93

          SHA256

          56b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49

          SHA512

          2084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4

        • C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe.config

          Filesize

          4KB

          MD5

          93fa874786e0664e83e5f5f281c9450b

          SHA1

          3b18fcf0e29b37fbb36ab1cbae38cb195767ea6e

          SHA256

          006e8c9344fd0ebd775c9b6aaf62ce03fb5eb732ee7ac9bfa471b5b548dcf711

          SHA512

          ff77212a07b19a8a7318e00bd4867fe36c3d01193fe43d15c5716186110453fd76be4cd6d27f17f4edcec1d11531d29d95bf43470a247bf37c8533fbbb2789a6

        • C:\Program Files (x86)\MCCToolChestPE\NBTExplorerWrapper.dll

          Filesize

          332KB

          MD5

          3d72c6fe50394518ffc0d456db590d77

          SHA1

          8607f4607ed85fc907cd5f7a284f393f5e73a0ae

          SHA256

          65c7848bf1ae76538302be55b45ab5ed71c28cd31c3097c86998646babbff046

          SHA512

          bf760f17c42792e04bf3ff51eba40c242656f3cc9308f86bd499093c5bd9e7697e786eee5daf2813701015d360c4e58987d92660455f719befe7ea8d85967d99

        • C:\Program Files (x86)\MCCToolChestPE\NBTModel.dll

          Filesize

          58KB

          MD5

          ba41b85b57019ffe634219abe174997c

          SHA1

          fad7871754efb1099655f5cb125849f297ae2b97

          SHA256

          9d069e0622a7f000557668517b80845386ad426f7617d12eb06f952f9a4e2841

          SHA512

          08a23546b8264e958be0cc6cd3b2ab86177f0eb9376d7ab525ce9d82a63ea2b4c373436375782f322c71fdb003729d554547a99f878d389d8ecb411d6185c1f9

        • C:\Program Files (x86)\MCCToolChestPE\Substrate.dll

          Filesize

          363KB

          MD5

          7a51e950f86cb07b9f1c71bba26a302d

          SHA1

          f5a7da3c0c3240c9f57bd0fc516d78615dff3f62

          SHA256

          7fc98ca281c83cbeae3ca37565070c1345b7e8e9a4f17c56073ec51a1288532f

          SHA512

          0bc44361ac7c5e70b46f77dd848c18ebaed44cf0b5c68f748cc0fe31d8b79ee04d21780e387af5fb11aa89dfb8a69657fe57bb53bfc6013e24820289bfd8017c

        • C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi

          Filesize

          6.7MB

          MD5

          074d2f15bb96df82ea1fb6367fe1f59e

          SHA1

          460fe98e626cb5fa709bd2b4a3bda14e572ac087

          SHA256

          a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6

          SHA512

          935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096

        • C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi

          Filesize

          6.7MB

          MD5

          074d2f15bb96df82ea1fb6367fe1f59e

          SHA1

          460fe98e626cb5fa709bd2b4a3bda14e572ac087

          SHA256

          a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6

          SHA512

          935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096

        • C:\Users\Admin\AppData\Local\Temp\{44F4133D-DBD3-4CD8-845C-621D6269514B}\0x0409.ini

          Filesize

          21KB

          MD5

          8586214463bd73e1c2716113e5bd3e13

          SHA1

          f02e3a76fd177964a846d4aa0a23f738178db2be

          SHA256

          089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

          SHA512

          309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

        • C:\Users\Admin\AppData\Local\Temp\{44F4133D-DBD3-4CD8-845C-621D6269514B}\_ISMSIDEL.INI

          Filesize

          20B

          MD5

          db9af7503f195df96593ac42d5519075

          SHA1

          1b487531bad10f77750b8a50aca48593379e5f56

          SHA256

          0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

          SHA512

          6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

        • C:\Users\Admin\AppData\Local\Temp\~2A2D.tmp

          Filesize

          5KB

          MD5

          8d3f2e929678b79b1ed7be4f55e9da08

          SHA1

          4e0fdd92a3111f83e09d85f1ed3d747476a73044

          SHA256

          49b323662e5e19e1fdc1aff722209d31e65d101de5d2c94073dcdb096398b697

          SHA512

          e059bf8fa57884c57e2fa0b717f3b275fb847ef57cf4ff41f3731a9ee78b43e9ab87829e9ef4a94dd466c4c851a6037895b5aaff140c3a8ae59dcae8edbd355c

        • C:\Windows\Installer\MSI7E93.tmp

          Filesize

          105KB

          MD5

          29e4cb02681bf0780985a429b48903ca

          SHA1

          474acf63ad259fa06164916259a40ffe8909f622

          SHA256

          3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

          SHA512

          5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

        • C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe

          Filesize

          420KB

          MD5

          d2ec0df6505475d81c2f14195d8c2691

          SHA1

          dcee54e61a1f5f4d3332fb5a0cb6e7d0736f56f5

          SHA256

          ac5165771b8f8b6f941fa24e25420419fb6c15f7ac75b63c5917f4067ab94bc4

          SHA512

          99254efca91a0f39f0f83f170f25f650be89c8475be80722a47233c3a0ab3733bcb85277d75d05fb837e678c5aa6b2b7357321330686416be4ddb81a33da6dc5

        • \Windows\Installer\MSI7E93.tmp

          Filesize

          105KB

          MD5

          29e4cb02681bf0780985a429b48903ca

          SHA1

          474acf63ad259fa06164916259a40ffe8909f622

          SHA256

          3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

          SHA512

          5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

        • memory/772-181-0x0000000000E80000-0x0000000001120000-memory.dmp

          Filesize

          2.6MB

        • memory/772-187-0x000000001B390000-0x000000001B4C4000-memory.dmp

          Filesize

          1.2MB

        • memory/772-186-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB

        • memory/772-189-0x0000000000590000-0x00000000005A4000-memory.dmp

          Filesize

          80KB

        • memory/772-183-0x0000000000340000-0x000000000039A000-memory.dmp

          Filesize

          360KB

        • memory/772-191-0x000000001CA70000-0x000000001CAD2000-memory.dmp

          Filesize

          392KB

        • memory/772-195-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB

        • memory/772-198-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB

        • memory/772-199-0x000000001B310000-0x000000001B390000-memory.dmp

          Filesize

          512KB