Overview

overview

10

Static

static

3

Glass1511.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-06-2024 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Glass1511.exe

  • Size

    2.1MB

  • MD5

    c1d39a0e69bbb26bfd6800a3495a4ed3

  • SHA1

    ab986bfc719991fb586e0f7bc40e00d468623357

  • SHA256

    608e31d0c42ccfc81e3c255cc56d7aa5168b18bd51453879a2be21ed07f9b4c8

  • SHA512

    01a725cfd97d2536c0ac4a9c3d8d7cfa0928413e9de82acb21ac580422ef4b30b8f41b0a36c3006526699a09b5a5722f53d29f86999d2be8abdb71a353254243

  • SSDEEP

    49152:8a6WKE1Qen2cnCuPTtUdoPiZ9zLbJo0Y7aKnMpe/K7U:X6XEtCiko6Z9zJ27aKMpeAU

Score
10/10
r77discoverypersistencerootkit

Malware Config

Signatures

  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 1 IoCs

    Detects the payload of the r77 rootkit.

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Glass1511.exe
    "C:\Users\Admin\AppData\Local\Temp\Glass1511.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\is-E7JP3.tmp\Glass1511.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E7JP3.tmp\Glass1511.tmp" /SL5="$40220,1857535,121344,C:\Users\Admin\AppData\Local\Temp\Glass1511.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im aerohost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im dwm.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3640
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\AeroGlass\install.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\schtasks.exe
          schtasks /Delete /TN "Aero Glass" /F
          4⤵
            PID:4968
          • C:\Windows\system32\schtasks.exe
            schtasks /Create /RU SYSTEM /TN "Aero Glass" /XML task.xml
            4⤵
            • Creates scheduled task(s)
            PID:4784
          • C:\Windows\system32\schtasks.exe
            schtasks /Run /TN "Aero Glass"
            4⤵
              PID:3340
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4908
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4080
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4340
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:324
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4472
      • C:\AeroGlass\aerohost.exe
        C:\AeroGlass\aerohost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1636
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0 /state0:0xa3a1a055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4044
      • C:\Windows\System32\smss.exe
        \SystemRoot\System32\smss.exe 0000010c 00000090
        1⤵
          PID:4968
        • C:\Windows\System32\smss.exe
          \SystemRoot\System32\smss.exe 000000ec 00000090
          1⤵
            PID:4784
          • C:\Windows\System32\smss.exe
            \SystemRoot\System32\smss.exe 000000f8 00000090
            1⤵
              PID:3340
            • C:\Windows\System32\smss.exe
              \SystemRoot\System32\smss.exe 00000108 00000090
              1⤵
                PID:2040
              • C:\Windows\System32\smss.exe
                \SystemRoot\System32\smss.exe 000000f0 00000090
                1⤵
                  PID:2876
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:444
                  • C:\Windows\system32\wbem\WMIADAP.EXE
                    wmiadap.exe /R /T
                    1⤵
                    • Drops file in System32 directory
                    PID:4856

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\AeroGlass\DWMGlass.dll
                    Filesize

                    908KB

                    MD5

                    bf542013755997c834e98e0e4add4f38

                    SHA1

                    c7c69e133aa881c877a2513e5e8d645dcfc29558

                    SHA256

                    ad3feee461f09e07399ae31fbeb56566ec5399e55c2ef4266b3b25acdf06dc5a

                    SHA512

                    ea291c0f8d037b13e6d21f52044588f07f42682cad157e69c6420be16df0b755bedf09843277a29a081eeb8b0d425f1ddc2ee500f6e715c1a9e15c724213b499

                    Download Submit

                  • C:\AeroGlass\aerohost.exe
                    Filesize

                    114KB

                    MD5

                    8ec9feb3c776959daa8f477366dee78d

                    SHA1

                    276ece41801126212956cb4c5bf0f73e62f3a5f9

                    SHA256

                    e15997a5ff6bbef4b951daa142485b502bb84af01a4c1d15749f72bb8f35fa29

                    SHA512

                    14c7ae5e407b2e5fdaef09ac9ce4693263221bd2bd252888c1a10428faf18d6fae16661316b6d3e6705a4c1db2ffad9f5f2434d98e8a6ec4374e3a0912475bf4

                    Download Submit

                  • C:\AeroGlass\dbghelp.dll
                    Filesize

                    1.4MB

                    MD5

                    6d35358c66d8720db912e52b2ea79090

                    SHA1

                    dcb86441e5cfd7fe4257659ccf852755677f0be4

                    SHA256

                    d645f9d265d980ca77393ef1fd61df046d152620b47b629df47169777f3e1b6d

                    SHA512

                    d0eb8254d5d315d9cda7250ca2476bcbfba4bfc57986fbbe848b9d0b9c084db44b61fa53286cf8913f13102ad1eb9dcbf021902a772f5e18315b027dca931940

                    Download Submit

                  • C:\AeroGlass\debug.log
                    Filesize

                    1KB

                    MD5

                    753857603ac559d002b69b229778178f

                    SHA1

                    ad64bd5e23a79a67fbc14d3aae460398fb4089f5

                    SHA256

                    891e3b73c2bf2a0ce6429684a12c2561756c18248cc4af0d99d2cc653332394e

                    SHA512

                    c7e72b60cbbe43738345e71ce2580caabd74fd8fd48b8017da104f2bcb291c5c9647fd08caab2161cc9b01c8d8223287eac9ace98604c9c0ed06b64b96dfcc81

                    Download Submit

                  • C:\AeroGlass\debug.log
                    Filesize

                    820B

                    MD5

                    717c0c47d76705f5f38850efd4db9717

                    SHA1

                    ef62bd50e4706e12058926df057e8aadb68a889d

                    SHA256

                    c60404cc0b9ed6297c07db04b3288e4265c2b075d908f4d3b41aebb026fb3ca9

                    SHA512

                    2213782f5871a821ae38941659aa93fc0ec64b4a41738933803b98014d609ec9f53678291f5c36ea30517e0f397be3e731cb326e26b87af38194aa89569009c2

                    Download Submit

                  • C:\AeroGlass\debug.log
                    Filesize

                    1KB

                    MD5

                    93f953959e47ddc462f9140b3a74b44a

                    SHA1

                    0335b5958f7bb131266ef7afa647b9028ddfcef1

                    SHA256

                    8f4deb9708ff2472e33d49e3a1a159dcc008ac6d5d810274a19a7f928b0e521c

                    SHA512

                    7de2d58cd9251d0327eb894df69b6d6bd810894ecafc36b56fddd0001bc137af2cd5ff9f15c4c25eff5786ef330144235704b39b55e5a569dd529ec8b348af36

                    Download Submit

                  • C:\AeroGlass\donation.key
                    Filesize

                    96B

                    MD5

                    da683b17743006f3150e6c0723960e8e

                    SHA1

                    bf0be0b79acefe65c6825b1184a1cdf7ab5f03db

                    SHA256

                    a9f0061e4a0086e45b2b872316d3d6989b43deb72f60b855ea8158031da94849

                    SHA512

                    86aaa69e6352094613a236682b45cddb8c894e9776d3cdd90e62112181b1d588156a1fdc8926edafd965d3a68ecef7dedcdd024ac0c08c3db22b79e751851e2b

                    Download Submit

                  • C:\AeroGlass\install.bat
                    Filesize

                    2KB

                    MD5

                    5bcc2ff8588dc19777cd8db6bb792eda

                    SHA1

                    1c40f016ada5d350eaf628d748ab05026da63790

                    SHA256

                    39bf1e5890f4e8aa6334fe785bcec0a50e84601e9b93574949d4c00fe6289de1

                    SHA512

                    bee72d4ac60c705a489fbc0d45e58b5ff187e323acbe96528c618de088a416bc3ed274e43e70d2efae008205b5894ca33c7b91963f50613d300207f538acd6bb

                    Download Submit

                  • C:\AeroGlass\task.xml
                    Filesize

                    1KB

                    MD5

                    779d600fbfc877745e410f319d079445

                    SHA1

                    cbe858a7b0df422775837f43b4906416970d940b

                    SHA256

                    302c67921cf5608785d502c87e1295cb71a05796088df8aa66c2aecd897fad9f

                    SHA512

                    3fbce9c368fdd40112b556174a21fd2f0a1b3180f364aba091a8a86f3de57d83e4b465f378346d11f7a092111e1582f593071da78d6fc72710f43491afbb6b3e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\is-E7JP3.tmp\Glass1511.tmp
                    Filesize

                    1.1MB

                    MD5

                    90fc739c83cd19766acb562c66a7d0e2

                    SHA1

                    451f385a53d5fed15e7649e7891e05f231ef549a

                    SHA256

                    821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

                    SHA512

                    4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\is-S9UB7.tmp\_isetup\_iscrypt.dll
                    Filesize

                    2KB

                    MD5

                    a69559718ab506675e907fe49deb71e9

                    SHA1

                    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                    SHA256

                    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                    SHA512

                    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                    Download Submit

                  • memory/492-6-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/492-110-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/1636-80-0x00007FF727710000-0x00007FF727732000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1636-111-0x00007FF727710000-0x00007FF727732000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2480-0-0x0000000000400000-0x0000000000428000-memory.dmp

                    Filesize

                    160KB

                    Download

                  • memory/2480-2-0x0000000000401000-0x0000000000412000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2480-108-0x0000000000400000-0x0000000000428000-memory.dmp

                    Filesize

                    160KB

                    Download