207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3

Analysis

max time kernel
125s
max time network
125s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e2ff114060c1bfc6d2398b860e70b0.exe
Size

1.3MB
MD5

68e2ff114060c1bfc6d2398b860e70b0
SHA1

8540e7baf664d115f9f7020ab61d73a80773d4cb
SHA256

207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
SHA512

dcff2bc1df0595c1b1fbfa09a4633253d9b16ce02f9733c9982b797ff4fb7fb345219ca3780ad259ecce83ab89a5f87c861dce70dfa23ce06c9739a9861bc509

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Agli.exe.comAgli.exe.comAgli.exe.com

pid process

4036 Agli.exe.com
2232 Agli.exe.com
2956 Agli.exe.com
Drops startup file 1 IoCs

Processes:

Agli.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbzUOZJPQt.url Agli.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Agli.exe.com

description pid process target process

PID 2232 set thread context of 2956 2232 Agli.exe.com Agli.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1056 PING.EXE

pid	process
4036	Agli.exe.com
2232	Agli.exe.com
2956	Agli.exe.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbzUOZJPQt.url	Agli.exe.com

description	pid	process	target process
PID 2232 set thread context of 2956	2232	Agli.exe.com	Agli.exe.com

pid	process
1056	PING.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

68e2ff114060c1bfc6d2398b860e70b0.execmd.execmd.exeAgli.exe.comAgli.exe.comAgli.exe.comcmd.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 2268	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	dllhost.exe
PID 1504 wrote to memory of 2268	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	dllhost.exe
PID 1504 wrote to memory of 2268	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	dllhost.exe
PID 1504 wrote to memory of 3784	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	cmd.exe
PID 1504 wrote to memory of 3784	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	cmd.exe
PID 1504 wrote to memory of 3784	1504	68e2ff114060c1bfc6d2398b860e70b0.exe	cmd.exe
PID 3784 wrote to memory of 584	3784	cmd.exe	cmd.exe
PID 3784 wrote to memory of 584	3784	cmd.exe	cmd.exe
PID 3784 wrote to memory of 584	3784	cmd.exe	cmd.exe
PID 584 wrote to memory of 744	584	cmd.exe	findstr.exe
PID 584 wrote to memory of 744	584	cmd.exe	findstr.exe
PID 584 wrote to memory of 744	584	cmd.exe	findstr.exe
PID 584 wrote to memory of 4036	584	cmd.exe	Agli.exe.com
PID 584 wrote to memory of 4036	584	cmd.exe	Agli.exe.com
PID 584 wrote to memory of 4036	584	cmd.exe	Agli.exe.com
PID 584 wrote to memory of 1056	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1056	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1056	584	cmd.exe	PING.EXE
PID 4036 wrote to memory of 2232	4036	Agli.exe.com	Agli.exe.com
PID 4036 wrote to memory of 2232	4036	Agli.exe.com	Agli.exe.com
PID 4036 wrote to memory of 2232	4036	Agli.exe.com	Agli.exe.com
PID 2232 wrote to memory of 2956	2232	Agli.exe.com	Agli.exe.com
PID 2232 wrote to memory of 2956	2232	Agli.exe.com	Agli.exe.com
PID 2232 wrote to memory of 2956	2232	Agli.exe.com	Agli.exe.com
PID 2232 wrote to memory of 2956	2232	Agli.exe.com	Agli.exe.com
PID 2232 wrote to memory of 2956	2232	Agli.exe.com	Agli.exe.com
PID 2956 wrote to memory of 716	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 716	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 716	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 3852	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 3852	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 3852	2956	Agli.exe.com	cmd.exe
PID 3852 wrote to memory of 1644	3852	cmd.exe	WMIC.exe
PID 3852 wrote to memory of 1644	3852	cmd.exe	WMIC.exe
PID 3852 wrote to memory of 1644	3852	cmd.exe	WMIC.exe
PID 2956 wrote to memory of 3752	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 3752	2956	Agli.exe.com	cmd.exe
PID 2956 wrote to memory of 3752	2956	Agli.exe.com	cmd.exe
PID 3752 wrote to memory of 2648	3752	cmd.exe	makecab.exe
PID 3752 wrote to memory of 2648	3752	cmd.exe	makecab.exe
PID 3752 wrote to memory of 2648	3752	cmd.exe	makecab.exe

C:\Users\Admin\AppData\Local\Temp\68e2ff114060c1bfc6d2398b860e70b0.exe
"C:\Users\Admin\AppData\Local\Temp\68e2ff114060c1bfc6d2398b860e70b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Poi.vsd
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$" Che.vsd
4⤵
PID:744

C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
Agli.exe.com D
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com D
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ver > "C:\Users\Admin\AppData\Local\Temp\chr5C5A.tmp"
7⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C wmic process get Name > "C:\Users\Admin\AppData\Local\Temp\chr5C9A.tmp"
7⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process get Name
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c makecab /V3 "C:\Users\Admin\AppData\Local\Temp\372c8e417da21daa91f4cfadc39fcc4a977b32cb" "C:\Users\Admin\AppData\Local\Temp\chr5FC7.tmp"
7⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\makecab.exe
makecab /V3 "C:\Users\Admin\AppData\Local\Temp\372c8e417da21daa91f4cfadc39fcc4a977b32cb" "C:\Users\Admin\AppData\Local\Temp\chr5FC7.tmp"
8⤵
PID:2648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\372c8e417da21daa91f4cfadc39fcc4a977b32cb
MD5
de4eaf16cd2517965f001273eee38f33

SHA1
11856f057cebb886f530e31ce4a50bbecb30057e

SHA256
822a1d7ead419d9d8575ffa4e3f41759fa6d031bf71c46202f8b497cbf0cde24

SHA512
0314fe4a317a343856f9868745b9267f85df267b3ea9bcf5412cb1e98e4b29cfb43514a364b71571e800f862521ea0523bb58e0d683405269c18c9a3cb4db08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr5C5A.tmp
MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr5C9A.tmp
MD5
6f63353541c443a260c3ffccd8043a10

SHA1
8f9d35b10cde00eb00a5f5dc5c14e24e8b0489eb

SHA256
bfd7e5097268d1680d5332d939a15c5d244c9d8b553b996d7a59869a8bfb4aa6

SHA512
bbabc4c22fe447eb60d7bc7f6cb49f0ef76870739f8e93a85fdbf2c71b945ce3d415b2ba9117434157b910590db4d529c37f1e57002c10881fc34c846e5c016c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr5FC7.tmp
MD5
893cb565ed77620e966d7e6341c53973

SHA1
251118315f4822e1c2e506b42073964d0457714b

SHA256
0be68fbdc0c0818c672f1972a5f6451fdef7c7c88a7b09774654d8475f31c615

SHA512
21719e4f7419fe3abb24f32389fce2b8c592004fef599c8365e440a2be27ba99ed565e9102083d78b772c9d6ff257670aee487971eb916de8583b348b5c2e3e3

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Agli.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Benvenuta.vsd
MD5
6ca6d46f3fba9e7f22f6489f155ffb64

SHA1
a1d0d6373ff6df021f0da93d2fbd8d0270f1f2e0

SHA256
8aad09d17ec0d9f2929e88f898f3ad5b4e2c7f8d1fa39ba39ca03e665e87b674

SHA512
33ea4f4158fd339980134e9fc9c53ec9b9ede6a373c4c8a6111cdce3d7241cad69a02fbc207fc38a56d0536d9966db8b6eccce3f0e27e1a02f85106603376ddf

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Che.vsd
MD5
a7ddd4d4067d7e404d579ae32dc91542

SHA1
4203587509050293e0d1c8f833545230bb3355b0

SHA256
548e87e6b13cdda866ccc0a125b4eeab7879c2ae0fcac20073ac953d2f682729

SHA512
1801871bfec0c7beb62b37b4bdaee8733b9204594e4481647efc476b819c8be06fd1f2e88d99f8c62ca9c86bf91f2270c5c01e0950c160364f3f78171208b1f9

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\D
MD5
6ca6d46f3fba9e7f22f6489f155ffb64

SHA1
a1d0d6373ff6df021f0da93d2fbd8d0270f1f2e0

SHA256
8aad09d17ec0d9f2929e88f898f3ad5b4e2c7f8d1fa39ba39ca03e665e87b674

SHA512
33ea4f4158fd339980134e9fc9c53ec9b9ede6a373c4c8a6111cdce3d7241cad69a02fbc207fc38a56d0536d9966db8b6eccce3f0e27e1a02f85106603376ddf

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Poi.vsd
MD5
1cc05843eb402695e2aea3de852b754f

SHA1
14035ca106ac2c8877e3084571a894dbb2abc75f

SHA256
979d3f1dc9417d0c462941af909aaf41e12d3d75ba1053e452402887273d10da

SHA512
f027ce99450df436c7ef552ad2db27b376e864add4935a34bc8a97c4e262edbc9fa416f1ff3857829d340eff0dcb166e6eed84d21307e5e8df05866e12ecf5bb

Download Submit
C:\Users\Admin\AppData\Roaming\mbxeFARwrUfNuQPTuPG\Veduto.vsd
MD5
b4b043fbda464d018ef01cea7cee7303

SHA1
2b21f85669e9ee021a0805a1d802760993f86957

SHA256
63bc2ca795da615cdfe6a0dcd3d65944632fe0013d452cafc3016165a762bf2a

SHA512
bf6af2fa5a1fd5d22c5f142c86fb167d9c849f3a294464375920eea19cb1dd5068628c846b63b364e00bc1504eddef32fb6bbe1c1bef7131248f8e291223a29e

Download Submit
memory/584-117-0x0000000000000000-mapping.dmp

Download
memory/716-133-0x0000000000000000-mapping.dmp

Download
memory/744-118-0x0000000000000000-mapping.dmp

Download
memory/1056-123-0x0000000000000000-mapping.dmp

Download
memory/1644-136-0x0000000000000000-mapping.dmp

Download
memory/2232-125-0x0000000000000000-mapping.dmp

Download
memory/2232-129-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/2268-114-0x0000000000000000-mapping.dmp

Download
memory/2648-139-0x0000000000000000-mapping.dmp

Download
memory/2956-132-0x0000000000D20000-0x0000000001E77000-memory.dmp

Filesize
17.3MB

Download
memory/2956-130-0x0000000000D20000-0x0000000001E77000-memory.dmp

Filesize
17.3MB

Download
memory/3752-138-0x0000000000000000-mapping.dmp

Download
memory/3784-115-0x0000000000000000-mapping.dmp

Download
memory/3852-135-0x0000000000000000-mapping.dmp

Download
memory/4036-121-0x0000000000000000-mapping.dmp

Download