0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amneziawg-amd64-1.0.0.msi
Size

3.2MB
MD5

820f2d66357f5c1d986cbc1a41116d31
SHA1

afc5b70d421b55fc6500698d90f1a4b4a030ce11
SHA256

0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc
SHA512

953cc34418782304e121213a64e6de3dc1dc67e96acaf3686f40854c42805f0e12dec8e3ef710b5f00ab195bd4bb16ff1e3ae3413872bc846a0ebbde146bfb62
SSDEEP

49152:DUqcXPxspPbZGfz2qKqmOQKsGc28k0aAfCWop2RYmVXbnD2mNoRv:wpXcDMfz2qtmOGGcjdy2OfYo

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2748	msiexec.exe
5	2748	msiexec.exe
7	2748	msiexec.exe
8	2328	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\AmneziaWG\amneziawg.exe	msiexec.exe
File created	C:\Program Files\AmneziaWG\awg.exe	msiexec.exe
File created	C:\Program Files\AmneziaWG\wintun.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1A7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D4D.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7717e4.msi	msiexec.exe
File created	C:\Windows\Installer\f7717e5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B69.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7717e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}\wireguard.ico	msiexec.exe
File created	C:\Windows\Installer\f7717e7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7717e5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1930.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B38.tmp	msiexec.exe
File created	C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}\wireguard.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1960.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	amneziawg.exe

Loads dropped DLL 9 IoCs

pid	Process
112	MsiExec.exe
112	MsiExec.exe
112	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2328	msiexec.exe
2328	msiexec.exe
2328	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2748	msiexec.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23207E85D59BF56478C819D8D5F37D60	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\PackageCode = "910D5D2A43999714086BB21CCD119391"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\ProductName = "AmneziaWG"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E75B678094424449A3827E11E140BD0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E75B678094424449A3827E11E140BD0\23207E85D59BF56478C819D8D5F37D60	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\PackageName = "amneziawg-amd64-1.0.0.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23207E85D59BF56478C819D8D5F37D60\WireGuardFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\ProductIcon = "C:\\Windows\\Installer\\{58E70232-B95D-465F-878C-918D5D3FD706}\\wireguard.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23207E85D59BF56478C819D8D5F37D60\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	msiexec.exe
2328	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	2328	msiexec.exe
Token: SeCreateTokenPrivilege	2748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2748	msiexec.exe
Token: SeLockMemoryPrivilege	2748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2748	msiexec.exe
Token: SeMachineAccountPrivilege	2748	msiexec.exe
Token: SeTcbPrivilege	2748	msiexec.exe
Token: SeSecurityPrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeLoadDriverPrivilege	2748	msiexec.exe
Token: SeSystemProfilePrivilege	2748	msiexec.exe
Token: SeSystemtimePrivilege	2748	msiexec.exe
Token: SeProfSingleProcessPrivilege	2748	msiexec.exe
Token: SeIncBasePriorityPrivilege	2748	msiexec.exe
Token: SeCreatePagefilePrivilege	2748	msiexec.exe
Token: SeCreatePermanentPrivilege	2748	msiexec.exe
Token: SeBackupPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeShutdownPrivilege	2748	msiexec.exe
Token: SeDebugPrivilege	2748	msiexec.exe
Token: SeAuditPrivilege	2748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2748	msiexec.exe
Token: SeChangeNotifyPrivilege	2748	msiexec.exe
Token: SeRemoteShutdownPrivilege	2748	msiexec.exe
Token: SeUndockPrivilege	2748	msiexec.exe
Token: SeSyncAgentPrivilege	2748	msiexec.exe
Token: SeEnableDelegationPrivilege	2748	msiexec.exe
Token: SeManageVolumePrivilege	2748	msiexec.exe
Token: SeImpersonatePrivilege	2748	msiexec.exe
Token: SeCreateGlobalPrivilege	2748	msiexec.exe
Token: SeBackupPrivilege	1244	vssvc.exe
Token: SeRestorePrivilege	1244	vssvc.exe
Token: SeAuditPrivilege	1244	vssvc.exe
Token: SeBackupPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	1948	DrvInst.exe
Token: SeLoadDriverPrivilege	1948	DrvInst.exe
Token: SeLoadDriverPrivilege	1948	DrvInst.exe
Token: SeLoadDriverPrivilege	1948	DrvInst.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2748	msiexec.exe
2748	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 112	2328	msiexec.exe	35
PID 2328 wrote to memory of 112	2328	msiexec.exe	35
PID 2328 wrote to memory of 112	2328	msiexec.exe	35
PID 2328 wrote to memory of 112	2328	msiexec.exe	35
PID 2328 wrote to memory of 112	2328	msiexec.exe	35
PID 2328 wrote to memory of 2632	2328	msiexec.exe	36
PID 2328 wrote to memory of 2632	2328	msiexec.exe	36
PID 2328 wrote to memory of 2632	2328	msiexec.exe	36
PID 2328 wrote to memory of 2632	2328	msiexec.exe	36
PID 2328 wrote to memory of 2632	2328	msiexec.exe	36
PID 2328 wrote to memory of 2644	2328	msiexec.exe	37
PID 2328 wrote to memory of 2644	2328	msiexec.exe	37
PID 2328 wrote to memory of 2644	2328	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\amneziawg-amd64-1.0.0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 56B6DCDCCEF454B2468E5162C2ADC003
  2⤵
  - Loads dropped DLL
  PID:112
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 33A581F17185275724B20E491747D020 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2632
- C:\Program Files\AmneziaWG\amneziawg.exe
  "C:\Program Files\AmneziaWG\amneziawg.exe"
  2⤵
  - Executes dropped EXE
  PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000005DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7717e6.rbs

Filesize
7KB

MD5
41346ef9fd14a7e001caeec19ee000de

SHA1
b9e4ec545e2b92a22bf75660ddc299decbd81b68

SHA256
cd5600f00b36ef1d1d64906a03579051d94ff552f9fc5408c4db3bf942eb20f3

SHA512
3f6cee0f6b3f38546853da3ca30d6cedf4dc7adbf7917302c0cb8ef4dac1c967799a61c6dedeca6ef9f8f024ca34672b439d1e665d2486c2ad8d29e8739c79e3

Download Submit
C:\Config.Msi\f7717e8.rbs

Filesize
417B

MD5
f59f6f064c41ace69942717927d97f45

SHA1
bfe85f17cc2e24a61a0755e1b8f1bdd7958a14ac

SHA256
ccbcc8bc15bcc2be10f2062600f12122147e3ec3a4829dee1d58a53d5421900e

SHA512
4f605dd0429c8184c84e8d1cfcbabd9769dc3f55cc1ceeec8e1d4048e7b995fcd95cc9c51f748c944a0e3cc5d07e588ab05d6b2667d4449894267b61080f37b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
8ca89c4c44ce7a18f2fd38cc7dffa4e7

SHA1
fa36c1285bc049c697d71dd5f94bcc8fc5a3289d

SHA256
4dbdc5b97cb0ff50e6e758dd38983545bd73f1b0c1b6aac3268ff3959b94544f

SHA512
0a84354264bb33fc4fec10fe8683259a20aedcea3255fe5c70e3fb1e679434bd30929f68968341144914668a25e0dbfdef7952a6e68964e22c480897a270dc35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_94116ABD187039A686207174FF4E0089

Filesize
638B

MD5
f4b12fdaa43941da38309f51766b98c6

SHA1
4b4b38c9836b377a01657746700c35b6ac19cb0b

SHA256
ab14758aeb14bb98319e14f7fca6501c2953aceb98b4f432eb794c9c1fea867c

SHA512
23652fbb8300539b08c28bd4eb2a8f2983e688746164ca90a124a817aecd8d7b5cdc0b168220becd95cbdb97f7b780646aa7a630169fa8ea201e04931a434959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
d3f8af8039313b70ce02f513f344a11c

SHA1
56e5fad71036ce3bdad4283059f32f1272f26a2a

SHA256
dbc0b049cc1591ac8d26845e0a626dc4e6d53fa43435bd649d5a5a1e2dd8ab2f

SHA512
8f3e4fc87018ba556052cac92280b311f7d06445bd89dccc0982800def60bc8901dba87e6b2270f1bf2d09efda5c43560cc973ba4865cb2a4562229e4904c469

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
14b8ca4f85554076bb71faa54c0e016b

SHA1
0ef2643c6fc5138075cc0d662454efd5b36eaaf2

SHA256
219fc50d0506163f94273a709a2ce918c6035def1cf13d6291aead88ab4d4846

SHA512
0fcca7df73ee8341fadf22512065ef7968117a3302b55137de94bb01c0ce3bedc6fe9051de5b87f1dd933c74edff4bb79259666c0ff76e04ccfa4fb67fe93613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b36e0f3e43ea5b88f33370a08626fe99

SHA1
aacd2b55a031e7ba6d4f257b1d7536e59a47e405

SHA256
d31e1c726e43f3abcb48f00f34570d98a3164194b0b6086525b46ae257b5ce28

SHA512
1099903502fedfeb8dc66c416505aeaad1acce4c40961c8a680c7c5b1405a78dbae451b61793fef9288d8c318ffbd7301c692e41ac973e23fbd017235b917afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_94116ABD187039A686207174FF4E0089

Filesize
480B

MD5
9a8c20521d86b0c814bfec3b94d05e46

SHA1
c92b23df9a794d4657cfc5f16d853cf999913793

SHA256
b8d545278d5dbe0b84133311a07a9092a1dcd351210a5f7065d9a914e1bd7eb9

SHA512
79f5aefc9a2e5dea91403275b4ddc3498e2b033c6130450842f464e18213d8b199ab0174b988ff2aee7930eab219e73c644f5c1a79733ae0f40ca88151a6ba39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
c2e579b35d5b0c163391a11c13148859

SHA1
bd2df0623886b4c38397567604b5bcb8ac4a4892

SHA256
0874a4111ec5100ef376cbe6a79464a136057fdc337e50ef85f569a8a80b046b

SHA512
5124661a41f6d45032583653eccf734fc636efcff837c732908d95b535cfd10835e254f13580948f68f12f6d8583912d26218628854bbbcf83278d77fe10b367

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6C3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI1930.tmp

Filesize
36KB

MD5
811cfc3e9e1df71228e30aa77ed9f718

SHA1
a12758985729c86868ed099c04ee177591e47dc7

SHA256
400f7be58edf92533c08d1e1157c6216f5e3c80054e9974c6dc0aae0a895cb3d

SHA512
14428979b51088f692241505f52d269558db65e7c7733b000dd4d744f1b71fbe9b7fae9753cb3d7047c941f1ba9f13d58e8a20b88ef784673530a19b11c40554

Download Submit
C:\Windows\Installer\f7717e4.msi

Filesize
3.2MB

MD5
820f2d66357f5c1d986cbc1a41116d31

SHA1
afc5b70d421b55fc6500698d90f1a4b4a030ce11

SHA256
0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc

SHA512
953cc34418782304e121213a64e6de3dc1dc67e96acaf3686f40854c42805f0e12dec8e3ef710b5f00ab195bd4bb16ff1e3ae3413872bc846a0ebbde146bfb62

Download Submit
\Program Files\AmneziaWG\amneziawg.exe

Filesize
7.9MB

MD5
9c3859eba6a53e9df1d885c8147337bd

SHA1
2adb6cc21f9973f1aa7a083fe86c4b88a9a5f58c

SHA256
ba23f928c64cca759bbf6f1f8318300ea384662f8b0c40bf22eb059beefc37af

SHA512
3824cb357c508f7a87894af928d97ad99d543e950af19bd82c0edda2196f36d272d27b54f1315a85921a41fb346b75b261e1fd366021f2b9623f810229300b93

Download Submit