2f02500ad7fa0ab1e3062056fcd6a46e5d266b8ee3210b655cb01cf2d57d2ff3

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2023, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MCCToolChestPE_setup.exe
Size

6.2MB
MD5

e5c04e6cb730a48c6a1b58d2fd1d629a
SHA1

e2afe69db249211dc52c0d1b5eb80e822403730a
SHA256

2f02500ad7fa0ab1e3062056fcd6a46e5d266b8ee3210b655cb01cf2d57d2ff3
SHA512

b657a9f3676ae568add200c88b4390abc7f5eea65635387447b861fe942e567c455fd39675d1e9ca25aa5236313a93fa2832457b1fdbf74a129f38ff434747d0
SSDEEP

196608:Ulq+1Ns/OYAghysoBQ4i5GuwIAmQChv3c:gxghyH25AFoE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	MCCToolChestPE.exe

Loads dropped DLL 1 IoCs

pid	Process
4068	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MCCToolChestPE\support\Beds.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\Substrate.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\XboxChest.ico	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\leveldb_LICENSE.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\BannerPatterns.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\mobs.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\LevelDB-MCPE-32.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\Skulls.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\BlockID.json	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\Interop.PortableDeviceApiLib.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\NAppUpdate.Framework.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\items.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe.config	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\LevelDB-MCPE-64.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\License.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\NBTExplorer_LICENSE.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\blocks.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\Copy of items.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\items.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\ClearScript.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\Interop.PortableDeviceTypesLib.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\NBTExplorerWrapper.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\NBTModel.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\blocks.txt	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\blocks.json	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\FastColoredTextBox.dll	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\professions.png	msiexec.exe
File created	C:\Program Files (x86)\MCCToolChestPE\support\blockStates.json	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56ad2d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{822D45B5-B729-4511-8967-2714CE611B8D}	msiexec.exe
File created	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut111_DAC57BF2C49E41C2BBFDF8CEDD876154.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1D1.tmp	msiexec.exe
File created	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\UNINST_Uninstall_M_EF66624CBFDE44758725E543AE623984.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\UNINST_Uninstall_M_EF66624CBFDE44758725E543AE623984.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ad2d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut1_21B1AF1EAD27490E8F54A4506A2F26FE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut1_21B1AF1EAD27490E8F54A4506A2F26FE.exe	msiexec.exe
File created	C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut111_DAC57BF2C49E41C2BBFDF8CEDD876154.exe	msiexec.exe
File created	C:\Windows\Installer\e56ad2f.msi	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\NBTModel,Version="1.1.0.0",Culture="neutral",FileVersion="1.1.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e005200780046006f0071005a004900750076002a004d0027006c004a0030004e004f0052005e005e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\ProductIcon = "C:\\Windows\\Installer\\{822D45B5-B729-4511-8967-2714CE611B8D}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5FBC63902C462FB498C56BA03F0956D5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\FastColoredTextBox,Version="2.16.24.0",Culture="neutral",FileVersion="2.16.24.0",ProcessorArchitecture="MSIL",PublicKeyToken="FB8AA12B994EF61B" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00600040004e004300500027004b002d004b004c00270045004f0054005f00550043004b005a005a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\Substrate,Version="1.3.8.0",Culture="neutral",FileVersion="1.3.8.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00480031002a002d006500340053006d00460032006d0059005d00730048004c00300049007200510000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B54D228927B115498767241EC16B1D8\AlwaysInstall	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\ProductName = "MCC Tool Chest PE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\NBTExplorerWrapper,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e0026002700650068006f005800370079002b007a0074006b00450054007300470066007a005100730000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\PackageCode = "EAFFABA8CE806504F8564944BF664B69"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5FBC63902C462FB498C56BA03F0956D5\5B54D228927B115498767241EC16B1D8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\PackageName = "MCC Tool Chest PE.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\NAppUpdate.Framework,Version="0.1.0.0",Culture="neutral",FileVersion="0.1.0.0",ProcessorArchitecture="MSIL",PublicKeyToken="D1F1D1F19F9E5A56" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e005d007100520065006f005a0028002d0065002b00440063006a0026002a0046003d0025005100400000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\Interop.PortableDeviceApiLib,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e004f00440060005d00270045006e006e0037003f004100760066002a0046004500670043003800240000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B54D228927B115498767241EC16B1D8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\Version = "100"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B54D228927B115498767241EC16B1D8\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\MCCToolChestPE,Version="0.1.1.7",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00560077003f005b0042002900400027005600410054004300540045005d002a0037004a003800370000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\ClearScript,Version="5.6.0.0",Culture="neutral",FileVersion="5.6.0.0",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e00470040002b00570048006b00260037003d00390029002a002700590061004b00720049007e00710000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|MCCToolChestPE\|MCCToolChestPE.exe\Interop.PortableDeviceTypesLib,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 21004d0040007000510060002100750034003d0054005600590050002900560043007400450055003e0060002c00490031005b00380038002e0059006b0079005d005f0035004d0059002e007b005b00370000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	msiexec.exe
4444	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4876	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4876	MSIEXEC.EXE
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeCreateTokenPrivilege	4876	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4876	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4876	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4876	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4876	MSIEXEC.EXE
Token: SeTcbPrivilege	4876	MSIEXEC.EXE
Token: SeSecurityPrivilege	4876	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4876	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4876	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4876	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4876	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4876	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4876	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4876	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4876	MSIEXEC.EXE
Token: SeBackupPrivilege	4876	MSIEXEC.EXE
Token: SeRestorePrivilege	4876	MSIEXEC.EXE
Token: SeShutdownPrivilege	4876	MSIEXEC.EXE
Token: SeDebugPrivilege	4876	MSIEXEC.EXE
Token: SeAuditPrivilege	4876	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4876	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4876	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4876	MSIEXEC.EXE
Token: SeUndockPrivilege	4876	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4876	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4876	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4876	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4876	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4876	MSIEXEC.EXE
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4876	MSIEXEC.EXE
4876	MSIEXEC.EXE
1928	MCCToolChestPE.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4876	4572	MCCToolChestPE_setup.exe	87
PID 4572 wrote to memory of 4876	4572	MCCToolChestPE_setup.exe	87
PID 4572 wrote to memory of 4876	4572	MCCToolChestPE_setup.exe	87
PID 4444 wrote to memory of 4068	4444	msiexec.exe	93
PID 4444 wrote to memory of 4068	4444	msiexec.exe	93
PID 4444 wrote to memory of 4068	4444	msiexec.exe	93

C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe
"C:\Users\Admin\AppData\Local\Temp\MCCToolChestPE_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="MCCToolChestPE_setup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6C8641057BD79BBE44F9715BFC276EEB
  2⤵
  - Loads dropped DLL
  PID:4068

C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe
"C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56ad2e.rbs

Filesize
18KB

MD5
5f41e45cf6adeb113f0cf3a7f1e7ec94

SHA1
15c4d3ce22dd0ef9068a5c76a750512f4a15c3ac

SHA256
1a284af839597f3cd9e4f1f30239b672a8f8bcb86d472a5c973a5e6b2dfaa166

SHA512
1ffa49abe37ae05ab113bbeaf5c5f39609d7e7798ad432f070922d12b71dbb6e1529a106dd8060490adec53f9fcd9c797462c7db598ce9d3034c230530450957

Download Submit
C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe

Filesize
2.6MB

MD5
49b1f0e4f0b4805e82b00af69154b3d6

SHA1
2a822a891639765047d538e0da06627288feef93

SHA256
56b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49

SHA512
2084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4

Download Submit
C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe

Filesize
2.6MB

MD5
49b1f0e4f0b4805e82b00af69154b3d6

SHA1
2a822a891639765047d538e0da06627288feef93

SHA256
56b27d300f8f5dadcdad3c52c0914231c55f5515e1d4b5062157a35fac8a7d49

SHA512
2084b592e21e5b0d547fc55f3436fc510608a311c7b350be52ce64bac91f06a7a691994dc630c0beec7c047b11f0cd0c9d211afd4be57214e9738cb3f1a1b8b4

Download Submit
C:\Program Files (x86)\MCCToolChestPE\MCCToolChestPE.exe.config

Filesize
4KB

MD5
93fa874786e0664e83e5f5f281c9450b

SHA1
3b18fcf0e29b37fbb36ab1cbae38cb195767ea6e

SHA256
006e8c9344fd0ebd775c9b6aaf62ce03fb5eb732ee7ac9bfa471b5b548dcf711

SHA512
ff77212a07b19a8a7318e00bd4867fe36c3d01193fe43d15c5716186110453fd76be4cd6d27f17f4edcec1d11531d29d95bf43470a247bf37c8533fbbb2789a6

Download Submit
C:\Program Files (x86)\MCCToolChestPE\NAppUpdate.Framework.dll

Filesize
135KB

MD5
0fd6e3e85e33fea4b8d80a614392fd1a

SHA1
dde9e9c48af8bc5031adeb01fc78ced2a2b05097

SHA256
ca1a7add02934085df122d125db1a8819a4d9ccbaaf7ed01aefde6d49ec5c79a

SHA512
fbef8cbb2deee7eed6e3a977071556c396ee6cbfd98cdc1bb9e73ef96886af1084b99e04b9b636431b120dcdbbc6fb18c6660a6b9e18c8e2b160862283c008bc

Download Submit
C:\Program Files (x86)\MCCToolChestPE\NBTExplorerWrapper.dll

Filesize
332KB

MD5
3d72c6fe50394518ffc0d456db590d77

SHA1
8607f4607ed85fc907cd5f7a284f393f5e73a0ae

SHA256
65c7848bf1ae76538302be55b45ab5ed71c28cd31c3097c86998646babbff046

SHA512
bf760f17c42792e04bf3ff51eba40c242656f3cc9308f86bd499093c5bd9e7697e786eee5daf2813701015d360c4e58987d92660455f719befe7ea8d85967d99

Download Submit
C:\Program Files (x86)\MCCToolChestPE\NBTModel.dll

Filesize
58KB

MD5
ba41b85b57019ffe634219abe174997c

SHA1
fad7871754efb1099655f5cb125849f297ae2b97

SHA256
9d069e0622a7f000557668517b80845386ad426f7617d12eb06f952f9a4e2841

SHA512
08a23546b8264e958be0cc6cd3b2ab86177f0eb9376d7ab525ce9d82a63ea2b4c373436375782f322c71fdb003729d554547a99f878d389d8ecb411d6185c1f9

Download Submit
C:\Program Files (x86)\MCCToolChestPE\Substrate.dll

Filesize
363KB

MD5
7a51e950f86cb07b9f1c71bba26a302d

SHA1
f5a7da3c0c3240c9f57bd0fc516d78615dff3f62

SHA256
7fc98ca281c83cbeae3ca37565070c1345b7e8e9a4f17c56073ec51a1288532f

SHA512
0bc44361ac7c5e70b46f77dd848c18ebaed44cf0b5c68f748cc0fe31d8b79ee04d21780e387af5fb11aa89dfb8a69657fe57bb53bfc6013e24820289bfd8017c

Download Submit
C:\Program Files (x86)\MCCToolChestPE\support\blockStates.json

Filesize
116KB

MD5
6c7f6fe66373b269e8983a6695c23450

SHA1
fa414a3bafcae7683792cbd5d00bc9ef476ec989

SHA256
fa30433d062ae89fe0723c7637d91118fc458d8bbd13683f83550c497090853a

SHA512
ae89740b0cf08d3fa010c09ed2a17010646899d5213e2829441e460d1994b590633a66c6153557d862e193a4ab3b413d50d20090c7c3cec79e54694ca0d630e8

Download Submit
C:\Program Files (x86)\MCCToolChestPE\support\blocks.json

Filesize
408KB

MD5
4adba6953aa90860d39657667936378e

SHA1
3a51c1366296fc32009d455c2909ad7a692c4e3d

SHA256
2a16db799ce5c1be4012951990455974391cbf9e3e95e1a604ac9dbf61fffa34

SHA512
9f8507557f0f0cde15e384d0fb4c795f9990a0c2e5e56a94fdc6dc218be26c08cea08f5180626a309e1106dc9a2289c84911a3e7f96683a9e302720ce56e631c

Download Submit
C:\Program Files (x86)\MCCToolChestPE\support\blocks.png

Filesize
1.4MB

MD5
9261f22950d7efe248e69b4e20b3fe2a

SHA1
ae8b1ddb612c438ca756125d78d8ea84c0b64301

SHA256
81ed8d28a067bbc556dd318dd12ca50152c71f5660bc982e35e6147d652f6ec9

SHA512
8784b3173a09a49a84d37feebb88f75f647827172a5a7fecf0ede01ce2329c97663edd3aae519f9bdeb25b1c160161eef695c943be3d546316cce69f4274f136

Download Submit
C:\Program Files (x86)\MCCToolChestPE\support\blocks.txt

Filesize
30KB

MD5
c3ce9ffb792bceb5eade863c6caca433

SHA1
774199da3ae748a085fc636c418beff4123861b8

SHA256
50cf29fd3bccda2e7f5383363b81c7c8c797a575e459d4e32fe026602a039bc6

SHA512
e564efc642739dc6a173ab81a50f98241c61baeeed78c3df3636f9634ffe50c879c267843945bfa2450cd430c9d8e31023e1444169dbc04472a862457a508102

Download Submit
C:\Program Files (x86)\MCCToolChestPE\support\mobs.png

Filesize
21KB

MD5
04404296d9457c1a244ad57a98e71517

SHA1
37276cec9c9394c0b799e8e2ab57713c40b18425

SHA256
7efd1077e63d131cf00dfe03aaf95b9d1e6badbaf8fda6ef4201e40eab3af75d

SHA512
82065d3981fd35ab002df7b4d3440ad0d74390d52b358e2bae94c18c4038c78a51264b132590b81b2a15ab7384970efead8cfccc89f5aa1612d16d536a9a4f71

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi

Filesize
6.7MB

MD5
074d2f15bb96df82ea1fb6367fe1f59e

SHA1
460fe98e626cb5fa709bd2b4a3bda14e572ac087

SHA256
a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6

SHA512
935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{8ABAFFAE-08EC-4056-8F65-9444FB66B496}\MCC Tool Chest PE.msi

Filesize
6.7MB

MD5
074d2f15bb96df82ea1fb6367fe1f59e

SHA1
460fe98e626cb5fa709bd2b4a3bda14e572ac087

SHA256
a33ffdb27a9d8e358e1d16c8bbf76e80bddfe613f24601938fb62136878c13c6

SHA512
935349b34a9e919def7d2a8810c9f2b54f9aa3d79a39649a8033cbdb9eb44fac08b4e87f5a5a93fba1c2312cdfe7a8916410adde567a6dcb3c6baf7395e71096

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4C79B199-E083-4FB9-BB5E-80E03FB06DA5}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4C79B199-E083-4FB9-BB5E-80E03FB06DA5}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~72A4.tmp

Filesize
5KB

MD5
8d3f2e929678b79b1ed7be4f55e9da08

SHA1
4e0fdd92a3111f83e09d85f1ed3d747476a73044

SHA256
49b323662e5e19e1fdc1aff722209d31e65d101de5d2c94073dcdb096398b697

SHA512
e059bf8fa57884c57e2fa0b717f3b275fb847ef57cf4ff41f3731a9ee78b43e9ab87829e9ef4a94dd466c4c851a6037895b5aaff140c3a8ae59dcae8edbd355c

Download Submit
C:\Windows\Installer\MSIAF6F.tmp

Filesize
105KB

MD5
29e4cb02681bf0780985a429b48903ca

SHA1
474acf63ad259fa06164916259a40ffe8909f622

SHA256
3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

SHA512
5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

Download Submit
C:\Windows\Installer\MSIAF6F.tmp

Filesize
105KB

MD5
29e4cb02681bf0780985a429b48903ca

SHA1
474acf63ad259fa06164916259a40ffe8909f622

SHA256
3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

SHA512
5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

Download Submit
C:\Windows\Installer\{822D45B5-B729-4511-8967-2714CE611B8D}\NewShortcut11_359A1342722A4A9DA4B66D8A04498DA7.exe

Filesize
420KB

MD5
d2ec0df6505475d81c2f14195d8c2691

SHA1
dcee54e61a1f5f4d3332fb5a0cb6e7d0736f56f5

SHA256
ac5165771b8f8b6f941fa24e25420419fb6c15f7ac75b63c5917f4067ab94bc4

SHA512
99254efca91a0f39f0f83f170f25f650be89c8475be80722a47233c3a0ab3733bcb85277d75d05fb837e678c5aa6b2b7357321330686416be4ddb81a33da6dc5

Download Submit
memory/1928-292-0x0000029664780000-0x00000296647BC000-memory.dmp

Filesize
240KB

Download
memory/1928-269-0x0000029664A60000-0x0000029664A74000-memory.dmp

Filesize
80KB

Download
memory/1928-278-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-276-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-291-0x0000029664720000-0x0000029664732000-memory.dmp

Filesize
72KB

Download
memory/1928-262-0x0000029647A80000-0x0000029647D20000-memory.dmp

Filesize
2.6MB

Download
memory/1928-293-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-275-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-271-0x0000029664AF0000-0x0000029664B52000-memory.dmp

Filesize
392KB

Download
memory/1928-277-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-267-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-264-0x00000296620C0000-0x000002966211A000-memory.dmp

Filesize
360KB

Download
memory/1928-304-0x0000029664820000-0x0000029664848000-memory.dmp

Filesize
160KB

Download
memory/1928-309-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-310-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-311-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-312-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-313-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download
memory/1928-314-0x00000296621B0000-0x00000296621C0000-memory.dmp

Filesize
64KB

Download