Overview

overview

6

Static

static

1

amneziawg-....0.msi

windows7-x64

6

amneziawg-....0.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    amneziawg-amd64-1.0.0.msi

  • Size

    3.2MB

  • MD5

    820f2d66357f5c1d986cbc1a41116d31

  • SHA1

    afc5b70d421b55fc6500698d90f1a4b4a030ce11

  • SHA256

    0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc

  • SHA512

    953cc34418782304e121213a64e6de3dc1dc67e96acaf3686f40854c42805f0e12dec8e3ef710b5f00ab195bd4bb16ff1e3ae3413872bc846a0ebbde146bfb62

  • SSDEEP

    49152:DUqcXPxspPbZGfz2qKqmOQKsGc28k0aAfCWop2RYmVXbnD2mNoRv:wpXcDMfz2qtmOGGcjdy2OfYo

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 17 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 43 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\amneziawg-amd64-1.0.0.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1476
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding FE3D327D7DC3B3CCD5CF73B7438784CD
        2⤵
        • Loads dropped DLL
        PID:4800
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding C814298267D89586F84FF80F953CC433 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:4176
      • C:\Program Files\AmneziaWG\amneziawg.exe
        "C:\Program Files\AmneziaWG\amneziawg.exe"
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Program Files\AmneziaWG\amneziawg.exe
          "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice
          3⤵
          • Executes dropped EXE
          PID:4348
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Program Files\AmneziaWG\amneziawg.exe
      "C:\Program Files\AmneziaWG\amneziawg.exe" /managerservice
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Program Files\AmneziaWG\amneziawg.exe
        "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 736 732 744 752
        2⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57ae42.rbs
      Filesize

      8KB

      MD5

      69cf3146a2d66ad3124fbb269da18441

      SHA1

      600bdf9a0e9c8c75dcb13f67e31996c0938df599

      SHA256

      a8fc762abd89390188b5629ebac83c5c9d76240a6a9f5bebb11ebfa0d07a5f47

      SHA512

      cc0239ffe8852e9c843d0324affd54b43960834661f7a9917a23ad25536c1ec6c2dff49c6cfe201aa6933095cd9a70a10b5369499a2030a49911b5796a2b460d

      Download Submit

    • C:\Config.Msi\e57ae44.rbs
      Filesize

      417B

      MD5

      076295d828dd5e340488fa322952c32d

      SHA1

      c4b79c83342483063ef644b846418e031dde44ec

      SHA256

      fa99521195a3fe1d98c599073e21ea4a4c99f9e388b0d06cd66485e65946ca91

      SHA512

      5b4a92a756773593f094429302395ee80951407237ec461423279154ba5b25f3e8e68cb92e58d36b0f30fd3395a3197f89232e509aa7eb407ba9baacaa292ceb

      Download Submit

    • C:\Program Files\AmneziaWG\amneziawg.exe
      Filesize

      7.9MB

      MD5

      9c3859eba6a53e9df1d885c8147337bd

      SHA1

      2adb6cc21f9973f1aa7a083fe86c4b88a9a5f58c

      SHA256

      ba23f928c64cca759bbf6f1f8318300ea384662f8b0c40bf22eb059beefc37af

      SHA512

      3824cb357c508f7a87894af928d97ad99d543e950af19bd82c0edda2196f36d272d27b54f1315a85921a41fb346b75b261e1fd366021f2b9623f810229300b93

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      765B

      MD5

      8ca89c4c44ce7a18f2fd38cc7dffa4e7

      SHA1

      fa36c1285bc049c697d71dd5f94bcc8fc5a3289d

      SHA256

      4dbdc5b97cb0ff50e6e758dd38983545bd73f1b0c1b6aac3268ff3959b94544f

      SHA512

      0a84354264bb33fc4fec10fe8683259a20aedcea3255fe5c70e3fb1e679434bd30929f68968341144914668a25e0dbfdef7952a6e68964e22c480897a270dc35

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_94116ABD187039A686207174FF4E0089
      Filesize

      638B

      MD5

      f4b12fdaa43941da38309f51766b98c6

      SHA1

      4b4b38c9836b377a01657746700c35b6ac19cb0b

      SHA256

      ab14758aeb14bb98319e14f7fca6501c2953aceb98b4f432eb794c9c1fea867c

      SHA512

      23652fbb8300539b08c28bd4eb2a8f2983e688746164ca90a124a817aecd8d7b5cdc0b168220becd95cbdb97f7b780646aa7a630169fa8ea201e04931a434959

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      1KB

      MD5

      d3f8af8039313b70ce02f513f344a11c

      SHA1

      56e5fad71036ce3bdad4283059f32f1272f26a2a

      SHA256

      dbc0b049cc1591ac8d26845e0a626dc4e6d53fa43435bd649d5a5a1e2dd8ab2f

      SHA512

      8f3e4fc87018ba556052cac92280b311f7d06445bd89dccc0982800def60bc8901dba87e6b2270f1bf2d09efda5c43560cc973ba4865cb2a4562229e4904c469

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      484B

      MD5

      5430c609080d3ababd65b64f472761ff

      SHA1

      5b408ffa479e7067ca610acd715b797505c7e561

      SHA256

      6443d40d0cf817c30ee0d3a7d505b386e1b61b2e2e1fe728a7a23e709b0345d5

      SHA512

      2875e1bc13387d76a99e1da1704914cd5f4b10188e9f3aaf025315345871ae094e7aa9ef9305b4efe83b679b4f460c8e4451977ecb3bdb3618749f102e34d461

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_94116ABD187039A686207174FF4E0089
      Filesize

      480B

      MD5

      109c817db8edebc28707d1fb478cdb4a

      SHA1

      1cdc25072d13f1c017be3c23a6d270b8cf52b785

      SHA256

      fd7d49ca01b1a49929bf645ada5fc4d6b6b1b1fdaf9907a222d9dc46353f8e8f

      SHA512

      d9c4128eda76cbd114e097590515eb0d357dfca390409870d85fcbd960c3957e99cb05532497540b006075d549945f411d176bbea5f7a6465ac1f92104d6c51d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      482B

      MD5

      d6418af6a52883a42970ef98b2dc3ef2

      SHA1

      7278a7c154499ef7496e1defd3d46444c3e6850c

      SHA256

      86d23d6bd36626d4d265cb880f3ae0c2e18d04b7e115d459fad1c7653dbaa89f

      SHA512

      6af3cb7467e7260cfb98f57bf11eda29ab8dc7db311f26567020746abfed910007e15c0ac9e6aab50b4476c6e5e5fd6446ec97b4154a6405cf7c6551aaf1fe00

      Download Submit

    • C:\Windows\Installer\MSIAECE.tmp
      Filesize

      36KB

      MD5

      811cfc3e9e1df71228e30aa77ed9f718

      SHA1

      a12758985729c86868ed099c04ee177591e47dc7

      SHA256

      400f7be58edf92533c08d1e1157c6216f5e3c80054e9974c6dc0aae0a895cb3d

      SHA512

      14428979b51088f692241505f52d269558db65e7c7733b000dd4d744f1b71fbe9b7fae9753cb3d7047c941f1ba9f13d58e8a20b88ef784673530a19b11c40554

      Download Submit

    • C:\Windows\Installer\e57ae41.msi
      Filesize

      3.2MB

      MD5

      820f2d66357f5c1d986cbc1a41116d31

      SHA1

      afc5b70d421b55fc6500698d90f1a4b4a030ce11

      SHA256

      0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc

      SHA512

      953cc34418782304e121213a64e6de3dc1dc67e96acaf3686f40854c42805f0e12dec8e3ef710b5f00ab195bd4bb16ff1e3ae3413872bc846a0ebbde146bfb62

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      b7658e7c76ed2f184bfa9d8ce38ac082

      SHA1

      c82e08a98d04eeba9bad1b03665a0063557739b0

      SHA256

      b948b2e7b4ae29a3301f60d1c31b8ccab0b795f8d375df115496aafa23e93461

      SHA512

      b5d64cd5aa3787b6e95dbd60ed9810ef6df605ca0219eeb2797286ce5deeddf1035d5214416d495d330655d2aed05b4b6588a377e52f91ec4b8396345817e691

      Download Submit

    • \??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{16868319-839d-4fbd-aaa6-f9f52825d928}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      9d59248d7fb32680b00dea907ba2bf08

      SHA1

      6645f2b6c46cc39a456869f45263fb7be6ef223b

      SHA256

      96e2e0291de132ccde11d3e9bc58d4e7533c58e46226d16a9b2a60102eb33f40

      SHA512

      b3b1d65f55a3e8d4f8ed0189da55731fee1c6591da5f37081b06078d8d3b7e833eea3db52eb75bc1c5be92d20c271cc41f0fa984373398634cb4ad392e3cd9c4

      Download Submit