98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7

General

Target

98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
Size

205KB
MD5

1722ed342398e20d9b4c02290ed28ace
SHA1

b821e79711d1b3cc1d3b1584eacfed472d3d6853
SHA256

98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7
SHA512

8562ddd99405ba9edbef894470329690cc79de2d04e777611645bd3c0e96f840f8c2ba5722c58ef453a0f6e1f0df353f4b786039ba3b18612f74cf411c765489
SSDEEP

6144:WTmgzw8RTPbC55dXcnuUWzULEQIBS+eZ2G:ng0OPE9/zWtcSlM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
744	Itigya.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000133a7-61.dat	upx
behavioral1/memory/744-63-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Itigya.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CL2GFOKBC9 = "C:\\Windows\\Itigya.exe"	Itigya.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
File created	C:\Windows\Itigya.exe	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
File opened for modification	C:\Windows\Itigya.exe	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Itigya.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
744	Itigya.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
744	Itigya.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26
PID 1408 wrote to memory of 744	1408	98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe	26

C:\Users\Admin\AppData\Local\Temp\98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe
"C:\Users\Admin\AppData\Local\Temp\98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\Itigya.exe
  C:\Windows\Itigya.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Itigya.exe

Filesize
205KB

MD5
1722ed342398e20d9b4c02290ed28ace

SHA1
b821e79711d1b3cc1d3b1584eacfed472d3d6853

SHA256
98eaeab48ba9ffd2700ab985d7b874cacd8360b6865e25062f33d016224268d7

SHA512
8562ddd99405ba9edbef894470329690cc79de2d04e777611645bd3c0e96f840f8c2ba5722c58ef453a0f6e1f0df353f4b786039ba3b18612f74cf411c765489

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
408B

MD5
512ee848cee4ebff3dd177983e12817d

SHA1
d92e4a0fb5bc7cf0b5815230485622ee35bc00ef

SHA256
c3b263c97bcb2392ed51abad558852b4fadac1e42939ecfe321b0deba4e11f94

SHA512
35107d8e98b0cc15b20f8f2129298b4179a65777990f89749b63a80aa352b66c4e9f393ca7bd00c70610300dea7e37794a63e7d0e71aae6219b1d7616555d74d

Download Submit
memory/744-63-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/744-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1408-59-0x0000000000230000-0x00000000002A0000-memory.dmp

Filesize
448KB

Download
memory/1408-62-0x00000000004B0000-0x0000000000520000-memory.dmp

Filesize
448KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-58-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1408-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1408-70-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1408-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1408-72-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads