Analysis
-
max time kernel
34s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
11-06-2024 16:58
General
-
Target
Glass1511.exe
-
Size
2.1MB
-
MD5
c1d39a0e69bbb26bfd6800a3495a4ed3
-
SHA1
ab986bfc719991fb586e0f7bc40e00d468623357
-
SHA256
608e31d0c42ccfc81e3c255cc56d7aa5168b18bd51453879a2be21ed07f9b4c8
-
SHA512
01a725cfd97d2536c0ac4a9c3d8d7cfa0928413e9de82acb21ac580422ef4b30b8f41b0a36c3006526699a09b5a5722f53d29f86999d2be8abdb71a353254243
-
SSDEEP
49152:8a6WKE1Qen2cnCuPTtUdoPiZ9zLbJo0Y7aKnMpe/K7U:X6XEtCiko6Z9zJ27aKMpeAU
Malware Config
Signatures
-
r77
r77 is an open-source, userland rootkit.
-
r77 rootkit payload 1 IoCs
Detects the payload of the r77 rootkit.
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 19 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Glass1511.exe"C:\Users\Admin\AppData\Local\Temp\Glass1511.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-LGQTI.tmp\Glass1511.tmp"C:\Users\Admin\AppData\Local\Temp\is-LGQTI.tmp\Glass1511.tmp" /SL5="$40222,1857535,121344,C:\Users\Admin\AppData\Local\Temp\Glass1511.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im aerohost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im dwm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\AeroGlass\install.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Aero Glass" /F4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Create /RU SYSTEM /TN "Aero Glass" /XML task.xml4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Aero Glass"4⤵
-
-
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\AeroGlass\aerohost.exeC:\AeroGlass\aerohost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a23055 /state1:0x41c64e6d1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 0000008c1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD5bf542013755997c834e98e0e4add4f38
SHA1c7c69e133aa881c877a2513e5e8d645dcfc29558
SHA256ad3feee461f09e07399ae31fbeb56566ec5399e55c2ef4266b3b25acdf06dc5a
SHA512ea291c0f8d037b13e6d21f52044588f07f42682cad157e69c6420be16df0b755bedf09843277a29a081eeb8b0d425f1ddc2ee500f6e715c1a9e15c724213b499
-
Filesize
223KB
MD5ad90c2f15b89f91db5f7a49808878fe3
SHA12eaaff429b2ef56066fb88cbd8b7c82eb55ade1e
SHA256a558c0bc68c4968dafddb79cb5b0830d7c62ff3beb19a4c1e89454642e4a4779
SHA512719b82a9de25f1e5e2c11be1993dd8d2d593a784c4bc18457a3376fdd40d779cf826e481fa7b8d96acb61c43b5d3acaa9d49f298884fc38e3efd65b6e05e496e
-
Filesize
114KB
MD58ec9feb3c776959daa8f477366dee78d
SHA1276ece41801126212956cb4c5bf0f73e62f3a5f9
SHA256e15997a5ff6bbef4b951daa142485b502bb84af01a4c1d15749f72bb8f35fa29
SHA51214c7ae5e407b2e5fdaef09ac9ce4693263221bd2bd252888c1a10428faf18d6fae16661316b6d3e6705a4c1db2ffad9f5f2434d98e8a6ec4374e3a0912475bf4
-
Filesize
1.4MB
MD56d35358c66d8720db912e52b2ea79090
SHA1dcb86441e5cfd7fe4257659ccf852755677f0be4
SHA256d645f9d265d980ca77393ef1fd61df046d152620b47b629df47169777f3e1b6d
SHA512d0eb8254d5d315d9cda7250ca2476bcbfba4bfc57986fbbe848b9d0b9c084db44b61fa53286cf8913f13102ad1eb9dcbf021902a772f5e18315b027dca931940
-
Filesize
1KB
MD526edea94bcb73e9819eaa62a5b663e6c
SHA11803dfec5fc16a61f5d55f85b2e22e3b36b6e661
SHA256320b765a4f683f54acae4acb4205aee3a988b22d01f714b10e3c5eb987b77cdd
SHA512ace95032d4bf85ec44f158c4b1375dd05fd70cd4aa76cf9bf4b72cda34c7a338a9f19bd1c64bae11f0ba6215d7b99d68ec022a459f1703c854606db14ae95532
-
Filesize
2KB
MD5f42f8e4369e95c3a1057d81295b8b14a
SHA1276ccfb0d7465e6bfa97609c9cdcef6dabe32d25
SHA25620262c1568e551a4edb1c75063e8ffd73e273360b28b8878ab7dda1ff3092b53
SHA51230067dac70497ef10d9535825aade25cc0d9502b1cc63f4579a843e8c4fa27dbbe42213725944757f20690563374ca98e997211027a95ce620ca97a1d9b0faa7
-
Filesize
2KB
MD5dbde09f8a5fd71db9265ec248b45d980
SHA1eaa624bad1cbcba975b619b7ab5cdfe7fb412bca
SHA256db519979a97353880bc557c79f840a0c5234e662ee18a290501de93020e56da5
SHA51287ed375bcced2f8268810b2a51c93935737189f4c2887801153d68a50715e70437e2b34e10ce3dfd3c2f48a90dcf36ef5d7eeaf5742c1877a8ba2ad1216117ed
-
Filesize
277B
MD5d08368c51859f22e062aa3d256f24bc7
SHA17f55c8d445addcf53046e3bfe46db3a0d448db57
SHA2566403e90ece09c5e96f00aed22cd66d51a6e3e705f71d6dea110fdfd7e30698c0
SHA512caa40e81895b72905ab8c499b1d493252c0df1eebcaade48d5fa3db3e9211246c0686c5bea8db0a9693794a16860b1125015e2ee73f7736fbf04e71bb79c2033
-
Filesize
96B
MD5da683b17743006f3150e6c0723960e8e
SHA1bf0be0b79acefe65c6825b1184a1cdf7ab5f03db
SHA256a9f0061e4a0086e45b2b872316d3d6989b43deb72f60b855ea8158031da94849
SHA51286aaa69e6352094613a236682b45cddb8c894e9776d3cdd90e62112181b1d588156a1fdc8926edafd965d3a68ecef7dedcdd024ac0c08c3db22b79e751851e2b
-
Filesize
2KB
MD55bcc2ff8588dc19777cd8db6bb792eda
SHA11c40f016ada5d350eaf628d748ab05026da63790
SHA25639bf1e5890f4e8aa6334fe785bcec0a50e84601e9b93574949d4c00fe6289de1
SHA512bee72d4ac60c705a489fbc0d45e58b5ff187e323acbe96528c618de088a416bc3ed274e43e70d2efae008205b5894ca33c7b91963f50613d300207f538acd6bb
-
Filesize
1KB
MD5febd881b90375c4af4bbd975246ef13a
SHA18d3837b2a80c355c345a1be7601797c66eff8252
SHA2567d466ab7ac317ef33a7e4fd17a573983a7df34292d03d1ad9be2f7bf2294b646
SHA512135f97926f2dae594b219264c6a2720117c159e58b77f6f22a558483a37339dd50c8a5f82ff468ee72114d462726c62db9fee97df63344dbb8e7986dcc86e9bb
-
Filesize
1KB
MD5cb532affe9366308197fc443ba9510e6
SHA14a0b067590ff04e7c6142fe263aee6853f183085
SHA2561f26a0bef152969c419114a42e58e6b4d81f3820d83177a3efa49cd3b4668221
SHA51232784bd7f65812d2b78c2a5b92cc9d6c3b16a460c3969f58388fe12cb614d76ef078266a391bae987e266fcdb494e151f80e5d61d32b555be37e0fafced23e66
-
Filesize
1KB
MD565575ae7bd68a804433779b985ee1362
SHA15607ae6357617a761fc8be8e9c32545acc544f30
SHA25669f8099e326e624cc09f8190bc9e2bfabe0fe1f5c84a2fd2dce25c9e7be8ff52
SHA512bc14bf525e56e526284d50c1c068ada6045b885990b7c177b873ee28bbdef605885202c1e017ce6a5bd2975df3185a905129b4e0002be6b13b96bee4f168b55b
-
Filesize
1KB
MD5779d600fbfc877745e410f319d079445
SHA1cbe858a7b0df422775837f43b4906416970d940b
SHA256302c67921cf5608785d502c87e1295cb71a05796088df8aa66c2aecd897fad9f
SHA5123fbce9c368fdd40112b556174a21fd2f0a1b3180f364aba091a8a86f3de57d83e4b465f378346d11f7a092111e1582f593071da78d6fc72710f43491afbb6b3e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
1.1MB
MD590fc739c83cd19766acb562c66a7d0e2
SHA1451f385a53d5fed15e7649e7891e05f231ef549a
SHA256821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
SHA5124cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
68KB
-
Filesize
136KB