cc6174aa776a0b1bc29c8a466de095e281cc9a238dee7363196dbbdbb7bb2873

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlassWireSetup.exe
Size

66.0MB
MD5

cbdff02625ef580bf509b60832bf06c3
SHA1

fd3ce416b3d8e4ce1af8b310a89e2ef58d25c263
SHA256

cc6174aa776a0b1bc29c8a466de095e281cc9a238dee7363196dbbdbb7bb2873
SHA512

4c2e645780466e58015e678c3dbd2041cdd39089d50d2afe7c250b5aa813023ff2b23a57cc0fe31986e4fb0f50f374feb5b45315e47da144f74875341a1f3964
SSDEEP

1572864:uHAyCN598RzIxTnHF7d1pXTygI9hbl0rcmjXFcI9BKvBiSVwzfZf4:ugJyoTHz1ByV1Sr3FcIXiALzW

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GlassWireSetup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GlassWireSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GlassWireSetup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GlassWireSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GlassWireSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GlassWireSetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GlassWireSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GlassWireSetup.exe

Loads dropped DLL 3 IoCs

Processes:

GlassWireSetup.exe

pid process

3852 GlassWireSetup.exe
3852 GlassWireSetup.exe
3852 GlassWireSetup.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

GlassWireSetup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GlassWireSetup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GlassWireSetup.exe

pid process

3852 GlassWireSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3852	GlassWireSetup.exe
3852	GlassWireSetup.exe
3852	GlassWireSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GlassWireSetup.exe

pid	process
3852	GlassWireSetup.exe

C:\Users\Admin\AppData\Local\Temp\GlassWireSetup.exe
"C:\Users\Admin\AppData\Local\Temp\GlassWireSetup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd9D7E.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9D7E.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9D7E.tmp\nsihelper.dll
Filesize
4.6MB

MD5
af3014521035887c994e3a4ecaba8993

SHA1
b1d811f1575fd829de79c5f50c6842a003430bb5

SHA256
58af17b511a39a1b6fae3a4d7502e7560fec376ba11005c106d061cb317bdfb4

SHA512
6eb78bc59aff57d78706e92132d1445b734cb22e1de147c0cba77a51af50665607c08f55b9067cd8d33da23f02e568f58393c818848427da62562b325e05f547

Download Submit
memory/3852-138-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-136-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-137-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-134-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-139-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-140-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-141-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-142-0x0000000074310000-0x0000000074FED000-memory.dmp

Filesize
12.9MB

Download
memory/3852-135-0x0000000077CD0000-0x0000000077E73000-memory.dmp

Filesize
1.6MB

Download
memory/3852-144-0x0000000077CD0000-0x0000000077E73000-memory.dmp

Filesize
1.6MB

Download