e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04

General

Target

e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Size

7.9MB
MD5

b1b9be32ef5b81fbd7a326c0ec61c09f
SHA1

e0881a4b7024a1672e56cc7d07f02dbacd13da61
SHA256

e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04
SHA512

70043545a4503a441ae448f3105ffaa4c52b6a9e44de8235da8fd76a2f7e08e016505a47cb0ef833395da7c9e5b31d168d963180ed9e5c85dbd57427462d46a6
SSDEEP

98304:jHJNGoKgovuzo8bhevZrQZXE79+tA3wUkQo:xo27hevxKU7otA8Q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AmneziaWG\Data\log.bin	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1272	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3840	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2564	1824	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe	83
PID 1824 wrote to memory of 2564	1824	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe	83
PID 1272 wrote to memory of 3840	1272	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe	85
PID 1272 wrote to memory of 3840	1272	e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe	85

C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
"C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
  "C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe" /installmanagerservice
  2⤵
  PID:2564

C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe /managerservice
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe
  C:\Users\Admin\AppData\Local\Temp\e20312e9814d97e18e65073c8c64e482f24048c6984dd393b57369f0693d6a04.exe /ui 736 732 744 752
  2⤵
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads