Analysis
-
max time kernel
54s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-10-2024 01:23
General
-
Target
setup-w8.1-1.4.6.exe
-
Size
2.1MB
-
MD5
938548152c35c028b942b33088d0f3b9
-
SHA1
6ead124c740dfddc2ab09f1739df760c6d1ee7d3
-
SHA256
108a8be5260047a10d49105e7f5c22f949bae4e866278b169b66358ea43145ff
-
SHA512
004bd6ca1e1dbbbe258fe42dcb628607e4a178f09bc40637a9660568953be883f7ecd48e8b07fe54a90757732bf05e106d1a5b89e486c2b36314e1c4f851b86e
-
SSDEEP
49152:8UYpE9Sa8jnyceXiIEeSavDw9M68bkF2xlEVRv/OiMpe/K7U:ZYpE7KWS49uKY+EVRv/OdpeAU
Malware Config
Signatures
-
r77
r77 is an open-source, userland rootkit.
-
r77 rootkit payload 1 IoCs
Detects the payload of the r77 rootkit.
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup-w8.1-1.4.6.exe"C:\Users\Admin\AppData\Local\Temp\setup-w8.1-1.4.6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-S4SPJ.tmp\setup-w8.1-1.4.6.tmp"C:\Users\Admin\AppData\Local\Temp\is-S4SPJ.tmp\setup-w8.1-1.4.6.tmp" /SL5="$A0050,1784034,121344,C:\Users\Admin\AppData\Local\Temp\setup-w8.1-1.4.6.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im aerohost.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im dwm.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\AeroGlass\install.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Aero Glass" /F4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Create /RU SYSTEM /TN "Aero Glass" /XML task.xml4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Aero Glass"4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\AeroGlass\permissions.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls . /grant:r *S-1-5-90-0:(CI)(OI)F4⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls aerohost.exe /reset4⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls dwmglass.dll /reset4⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls aerohost.exe /inheritance:r /grant:r *S-1-5-32-544:F4⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls dwmglass.dll /inheritance:r /grant:r *S-1-5-32-544:F /grant:r *S-1-5-90-0:RX4⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls aerohost.exe /setowner *S-1-5-32-5444⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls dwmglass.dll /setowner *S-1-5-32-5444⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\AeroGlass\aerohost.exeC:\AeroGlass\aerohost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD51271f637329663499b3e5de3cfd54a2d
SHA1d5fb14165ad33b158ecee359aabb241df9e4238f
SHA25600033f5e9bcd4013d8af6b58f6d84d593f9179ea9bfffe48c9221c1acbc8e3b9
SHA512ae3b7fc06311ef28cce53bb3d30d36c1fc9e6b001daeb06c70776ac910de403929985ec21848500ca9044d83d2082aa4e124fcac9b14d8de5ca4e511b194f570
-
Filesize
110KB
MD5dde6e2baa5000239d7901a5de32c95d9
SHA1856751f17bf0912054c56a3c9a0b391c4403645c
SHA2561e0121791fd2011dfeff05b037db8c1c59ac45341362ac9d38197830bd06b051
SHA5121e131083b102dc6ab26d64bd1e7be60258cc13c8592c0f9bb6b3d1c84291aa4adc6341dd5ab2f3605ea92a06b1433f24afa8966196a9b9f76889dc2da6f5db57
-
Filesize
1.4MB
MD56d35358c66d8720db912e52b2ea79090
SHA1dcb86441e5cfd7fe4257659ccf852755677f0be4
SHA256d645f9d265d980ca77393ef1fd61df046d152620b47b629df47169777f3e1b6d
SHA512d0eb8254d5d315d9cda7250ca2476bcbfba4bfc57986fbbe848b9d0b9c084db44b61fa53286cf8913f13102ad1eb9dcbf021902a772f5e18315b027dca931940
-
Filesize
724B
MD562bc9807763994a17b29a7ee1a126e78
SHA18c3f5bc1aaf434c4c2ee1cc7838557c50c5f7d03
SHA256cdc08da499a8807b250167a58f915589a0f021d9a46d15909ee913c62d675147
SHA512118d86779c64672bcbd12db2356e9bb810d739c602dc5e7765d66cb918c008fb993635aa05338ae58c99e6862199432ff1eee3e61311ab76ab30c16c66a8e034
-
Filesize
2KB
MD55bcc2ff8588dc19777cd8db6bb792eda
SHA11c40f016ada5d350eaf628d748ab05026da63790
SHA25639bf1e5890f4e8aa6334fe785bcec0a50e84601e9b93574949d4c00fe6289de1
SHA512bee72d4ac60c705a489fbc0d45e58b5ff187e323acbe96528c618de088a416bc3ed274e43e70d2efae008205b5894ca33c7b91963f50613d300207f538acd6bb
-
Filesize
335B
MD5fffce8bc57255eaf21be2c89b4f7a0aa
SHA18a763b2ec3fc03e23e3966adc0365ee06d1b7c01
SHA256268874d1e167090d6fb690db4617a89acc7763e7204c4a5258963bc2954ab31d
SHA512549069e947f078eab91297e12f77c026bf36e6b1f2b170205154bc8f465f1d36a6366133efcfff26a629194246af5a528a314cc038cab05eb1752d2d9b8c5ab9
-
Filesize
153KB
MD58539f72a05f03d9d274ae6c07660dde7
SHA18d987185ce208bd51f53f4fd751cde56de511ebd
SHA256b619909c73ab3a20cbe7c10438cc92cf16aeed2fe792f38d67f47036f9017dbe
SHA51276d1cda40a5ad974ac550db4dd3147888244d9920dc2783fd92dceda4511f005a6e40b49cea96acb83d4fb4f12150f25d2d3c06661107ad3a94800c574c4f15a
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5779d600fbfc877745e410f319d079445
SHA1cbe858a7b0df422775837f43b4906416970d940b
SHA256302c67921cf5608785d502c87e1295cb71a05796088df8aa66c2aecd897fad9f
SHA5123fbce9c368fdd40112b556174a21fd2f0a1b3180f364aba091a8a86f3de57d83e4b465f378346d11f7a092111e1582f593071da78d6fc72710f43491afbb6b3e
-
Filesize
4KB
MD5ca355f9c3f97098d81697d3eac32ec9f
SHA13239690998af57e77d05308081d8b5d49dfe1ca9
SHA256fde5fb830719eb5bc0d8b65208e51b3063a3b856d740c9d219e764d11c41ced7
SHA512987c0bba34557fa793f04262d465ba21cc9fb2e4c6839bb239f21e462129cd77977084a5775a04daef82af31626fc697a8f3beeae0f6214509218417f9222b85
-
Filesize
1.1MB
MD5df93c482732607b5bee46a4a9ccc5bc1
SHA1126f519cd64e47f8492136c04c3f75f0d69b057f
SHA256e2dba8ea067eb6dff61d34f4afac0ea6aef92d989b68618edd40aa51675a6907
SHA5128f8694728bcf30317bb3bf4ae5783084cbcbccf764f7bbd8350321769f5f2d16e34c911c816f20d01504461d7ce35d52002dfe69a116404a029c886ad3ca1b29
-
Filesize
90KB
MD56264c166f88828c0d10bbd7b07718829
SHA10cd5cdbf305bf9767f4615b9434f122629f17a24
SHA256ba7f1581e5f63e3f7e12e67dbe3b94632aedaae1fd36a67ced6851b58b76b3f7
SHA5129bbe7bd9743003975f8236dd0812b98e8e8b2b3fd0a8cd40b0cd808b1ba481336f1891d887f17dbaa05c7ff9f5a9262d8411207e9227c5e48face2424cdc3160
-
Filesize
5KB
MD5eb55dec31fb84bd702e9e4b2bf783de2
SHA1ebffb9105a12320906660825914b64ce4273c6d3
SHA256d5fdc84bbca61e8a2cfd490aa639802ba8d9c21c49d605ff47159f6e0c7b26a6
SHA512af97bff026e4f923ddba719d27be52afe8dd91fcbad7b915a9dca2c9517140f3b742d8c33b869774fdb07f11c9631d9f4061e5e246a34a6e2bfd6a630c4fa34e
-
Filesize
1.1MB
MD590fc739c83cd19766acb562c66a7d0e2
SHA1451f385a53d5fed15e7649e7891e05f231ef549a
SHA256821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
SHA5124cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
68KB
-
Filesize
160KB
