Overview

overview

8

Static

static

8

citadel_1....ir.exe

windows7_x64

8

citadel_1....ir.exe

windows10_x64

3

Analysis

  • max time kernel
    151s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-07-2020 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    citadel_1.2.0.0.vir.exe

  • Size

    234KB

  • MD5

    b2325969f4c2db6350b279b5f255e0c8

  • SHA1

    dad6a70eee64ce5d8cc2f7ebc6bb444a6337fc3f

  • SHA256

    989d34e7e12df031098bc9898451e765b2a79c9af7416ea9906f81e95755cc20

  • SHA512

    fb41254d588d474dfb20746684b3ef911863cf812d0752ae5d3228b6b8ee391bacf5a948d8d58c9efd2da6ad6e978b0807b18717d9a9cc2f2e6b861cb20e3304

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1168
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1252
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1316
          • C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0.vir.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetThreadContext
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            • Modifies Internet Explorer settings
            PID:1528
            • C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe
              "C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe"
              3⤵
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:852
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5a22cb48.bat"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              • Deletes itself
              PID:760
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • NTFS ADS
          PID:1060
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1576
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1976
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1260

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmp5a22cb48.bat
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Oswaw\liwao.qes
                Download Submit
              • \Users\Admin\AppData\Roaming\Ewekka\isve.exe
                Download Submit
              • \Users\Admin\AppData\Roaming\Ewekka\isve.exe
                Download Submit
              • memory/760-27-0x000000000005FD20-mapping.dmp
                Download
              • memory/760-25-0x0000000000050000-0x0000000000080000-memory.dmp
                Filesize

                192KB

                Download
              • memory/852-2-0x0000000000000000-mapping.dmp
                Download
              • memory/1060-17-0x0000000002660000-0x0000000002662000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-21-0x0000000002650000-0x0000000002652000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-16-0x0000000002670000-0x0000000002672000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-11-0x0000000003A50000-0x0000000003B50000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1060-18-0x0000000003D40000-0x0000000003D42000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-19-0x0000000002650000-0x0000000002652000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-20-0x0000000003C50000-0x0000000003C52000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-15-0x0000000002650000-0x0000000002652000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-22-0x0000000002650000-0x0000000002652000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-23-0x0000000003C60000-0x0000000003C62000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-24-0x0000000003C70000-0x0000000003C72000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1060-10-0x0000000003950000-0x0000000003B50000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1060-9-0x0000000003950000-0x0000000003A50000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1060-7-0x0000000003950000-0x0000000003B50000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1060-5-0x0000000003950000-0x0000000003A50000-memory.dmp
                Filesize

                1024KB

                Download