Edit tour
Windows
Analysis Report
GlassWireSetup.exe
Overview
General Information
| Sample name: | GlassWireSetup.exe |
| Analysis ID: | 1528306 |
| MD5: | f1f2568ebb13c2cbe8c481bffa4922bb |
| SHA1: | c1a512a08eebea2d8d88e8ac53ca5628c566ef13 |
| SHA256: | 5bd765c18cbe76eddf97ff39aa20c36e6bbf801ee876fc3c07c4651577e711a3 |
| Infos: |  |
 | |
Detection
| Score: | 34 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Compliance
| Score: | 51 |
| Range: | 0 - 100 |
Signatures
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Hides threads from debuggers
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to open files direct via NTFS file id
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Explorer Process Tree Break
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Suspicious Rundll32 Setupapi.dll Activity
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
GlassWireSetup.exe (PID: 7112 cmdline: "C:\Users\ user\Deskt op\GlassWi reSetup.ex e" MD5: F1F2568EBB13C2CBE8C481BFFA4922BB) 
vc_redist.x86.exe (PID: 6484 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\nsx969 4.tmp\vc_r edist.x86. exe" /inst all /quiet /norestar t MD5: DD0232EE751164EAAD2FE0DE7158D77D) - vc_redist.x86.exe (PID: 1148 cmdline:
"C:\Window s\Temp\{FA C60DB1-A69 7-45EE-963 C-3E79552A 0F30}\.cr\ vc_redist. x86.exe" - burn.clean .room="C:\ Users\user \AppData\L ocal\Temp\ nsx9694.tm p\vc_redis t.x86.exe" -burn.fil ehandle.at tached=524 -burn.fil ehandle.se lf=640 /in stall /qui et /norest art MD5: 29C7A21BAE42889B08137C25AAE8E55C) - VC_redist.x86.exe (PID: 3584 cmdline:
"C:\Window s\Temp\{A3 612FE9-3C2 2-4098-98C 3-2CD91218 666B}\.be\ VC_redist. x86.exe" - q -burn.el evated Bur nPipe.{4C6 967F0-7861 -4E5E-A266 -A79F91D53 451} {8D47 B6A8-8425- 45E8-BA0B- 10ED43630B CC} 1148 MD5: 29C7A21BAE42889B08137C25AAE8E55C) 
GWInstSt.exe (PID: 7728 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\nsx969 4.tmp\GWIn stSt.exe" "https://w ww.glasswi re.com/sta t/install. php?v=3.4. 694&build_ type=full& os=Ten&pla tform=x64& update=0&i nstall_id= 8AC7009D4B 52E62F54AD 1F4176FBF2 7962F3EAF3 F7DDE916A0 8729FD64A8 AEEE&refer rer=https% 3A%2F%2Fww w.google.c om%2F&user _agent=Moz illa%2F5.0 +%28Window s+NT+10.0% 3B+Win64%3 B+x64%29+A ppleWebKit %2F537.36+ %28KHTML%2 C+like+Gec ko%29+Chro me%2F129.0 .0.0+Safar i%2F537.36 +Edg%2F129 .0.0.0&ga_ client_id= 1231827075 .172831935 7" "nsis$$ .tmp" MD5: 63DC9E4A693261F14924D8692D2EB442) 
rundll32.exe (PID: 7828 cmdline: "C:\Window s\system32 \rundll32. exe" setup api.dll,In stallHinfS ection Def aultInstal l 128 C:\W indows\sys tem32\driv ers\gwdrv. inf MD5: EF3179D498793BF4234F708D3BE28633) 
runonce.exe (PID: 7960 cmdline: "C:\Window s\system32 \runonce.e xe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0) 
grpconv.exe (PID: 7996 cmdline: "C:\Window s\System32 \grpconv.e xe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE) - net.exe (PID: 8136 cmdline:
"C:\Window s\system32 \net.exe" start gwdr v MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) 
conhost.exe (PID: 8148 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 7196 cmdline:
C:\Windows \system32\ net1 start gwdrv MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - wevtutil.exe (PID: 5180 cmdline:
"C:\Window s\system32 \wevtutil. exe" im "C :\Users\us er\AppData \Local\Tem p\nsx9694. tmp\eventl og.man" /r f:"C:\Prog ram Files (x86)\Glas sWire\GWEv entLog.dll " /mf:"C:\ Program Fi les (x86)\ GlassWire\ GWEventLog .dll" MD5: 3C0E48DA02447863279B0FE3CE7FE5E8) - conhost.exe (PID: 7264 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wevtutil.exe (PID: 5328 cmdline:
"C:\Window s\system32 \wevtutil. exe" im "C :\Users\us er\AppData \Local\Tem p\nsx9694. tmp\eventl og.man" /r f:"C:\Prog ram Files (x86)\Glas sWire\GWEv entLog.dll " /mf:"C:\ Program Fi les (x86)\ GlassWire\ GWEventLog .dll" /fro mwow64 MD5: 1AAE26BD68B911D0420626A27070EB8D) - GWCtlSrv.exe (PID: 7328 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\GWCtlS rv.exe" "- i" MD5: 56D6DB5EA2E8EF737A0CF9C808B8D533) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - GWCtlSrv.exe (PID: 4248 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\GWCtlS rv.exe" "- s" MD5: 56D6DB5EA2E8EF737A0CF9C808B8D533) - conhost.exe (PID: 7436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
explorer.exe (PID: 5868 cmdline: "C:\Window s\explorer .exe" "C:\ Program Fi les (x86)\ GlassWire\ glasswire. exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
- VSSVC.exe (PID: 3368 cmdline:
C:\Windows \system32\ vssvc.exe MD5: 875046AD4755396636A68F4A9EDB22A4)
- svchost.exe (PID: 3736 cmdline:
C:\Windows \System32\ svchost.ex e -k swprv MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SrTasks.exe (PID: 4268 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 3448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
msiexec.exe (PID: 7180 cmdline: C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
- svchost.exe (PID: 7856 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 7892 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{1b9ae 675-a69a-7 84f-a0a3-d 898132a09b a}\gwdrv.i nf" "9" "4 e7eab47b" "000000000 0000144" " WinSta0\De fault" "00 0000000000 0170" "208 " "C:\Wind ows\system 32\drivers " MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 7944 cmdline:
DrvInst.ex e "8" "4" "C:\Window s\System32 \DriverSto re\FileRep ository\gw drv.inf_am d64_54933c 59b5293195 \gwdrv.inf " "0" "4e7 eab47b" "0 0000000000 00170" "Wi nSta0\Defa ult" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- GWCtlSrv.exe (PID: 7380 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\GWCtlS rv.exe" MD5: 56D6DB5EA2E8EF737A0CF9C808B8D533)
- explorer.exe (PID: 1816 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) - GlassWire.exe (PID: 1060 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\GlassW ire.exe" MD5: E4ADF42227B3BADFCD239669363B4BDF)
- svchost.exe (PID: 6764 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- GlassWire.exe (PID: 7120 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\glassw ire.exe" - hide MD5: E4ADF42227B3BADFCD239669363B4BDF)
- GlassWire.exe (PID: 2836 cmdline:
"C:\Progra m Files (x 86)\GlassW ire\glassw ire.exe" - hide MD5: E4ADF42227B3BADFCD239669363B4BDF)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: | ||
| Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Konstantin Grishchenko, oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Code function: | 1_2_005C9EB7 | |
| Source: | Code function: | 1_2_005EF961 | |
| Source: | Code function: | 1_2_005C9C99 | |
| Source: | Code function: | 2_2_00879EB7 | |
| Source: | Code function: | 2_2_0089F961 | |
| Source: | Code function: | 2_2_00879C99 | |
| Source: | Code function: | 3_2_00E2F961 | |
| Source: | Code function: | 3_2_00E09C99 | |
| Source: | Code function: | 3_2_00E09EB7 | |
| Source: | Binary or memory string: | memstr_5a6c2a26-8 | |
Compliance | |
|---|
| Source: | Static PE information: | ||
| Source: | Window detected: | ||