Analysis
-
max time kernel
151s -
max time network
84s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:29
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.2.0.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_1.2.0.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_1.2.0.0.vir.exe
-
Size
234KB
-
MD5
b2325969f4c2db6350b279b5f255e0c8
-
SHA1
dad6a70eee64ce5d8cc2f7ebc6bb444a6337fc3f
-
SHA256
989d34e7e12df031098bc9898451e765b2a79c9af7416ea9906f81e95755cc20
-
SHA512
fb41254d588d474dfb20746684b3ef911863cf812d0752ae5d3228b6b8ee391bacf5a948d8d58c9efd2da6ad6e978b0807b18717d9a9cc2f2e6b861cb20e3304
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
citadel_1.2.0.0.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1528 citadel_1.2.0.0.vir.exe Token: SeSecurityPrivilege 1528 citadel_1.2.0.0.vir.exe Token: SeSecurityPrivilege 1528 citadel_1.2.0.0.vir.exe Token: SeManageVolumePrivilege 1060 WinMail.exe Token: SeSecurityPrivilege 760 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_1.2.0.0.vir.exedescription pid process target process PID 1528 set thread context of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 760 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
isve.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run isve.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{482FE526-507D-68B9-2FB1-A702D7980250} = "C:\\Users\\Admin\\AppData\\Roaming\\Ewekka\\isve.exe" isve.exe -
Loads dropped DLL 2 IoCs
Processes:
citadel_1.2.0.0.vir.exepid process 1528 citadel_1.2.0.0.vir.exe 1528 citadel_1.2.0.0.vir.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
citadel_1.2.0.0.vir.exeisve.exedescription pid process target process PID 1528 wrote to memory of 852 1528 citadel_1.2.0.0.vir.exe isve.exe PID 1528 wrote to memory of 852 1528 citadel_1.2.0.0.vir.exe isve.exe PID 1528 wrote to memory of 852 1528 citadel_1.2.0.0.vir.exe isve.exe PID 1528 wrote to memory of 852 1528 citadel_1.2.0.0.vir.exe isve.exe PID 852 wrote to memory of 1168 852 isve.exe taskhost.exe PID 852 wrote to memory of 1168 852 isve.exe taskhost.exe PID 852 wrote to memory of 1168 852 isve.exe taskhost.exe PID 852 wrote to memory of 1168 852 isve.exe taskhost.exe PID 852 wrote to memory of 1168 852 isve.exe taskhost.exe PID 852 wrote to memory of 1252 852 isve.exe Dwm.exe PID 852 wrote to memory of 1252 852 isve.exe Dwm.exe PID 852 wrote to memory of 1252 852 isve.exe Dwm.exe PID 852 wrote to memory of 1252 852 isve.exe Dwm.exe PID 852 wrote to memory of 1252 852 isve.exe Dwm.exe PID 852 wrote to memory of 1316 852 isve.exe Explorer.EXE PID 852 wrote to memory of 1316 852 isve.exe Explorer.EXE PID 852 wrote to memory of 1316 852 isve.exe Explorer.EXE PID 852 wrote to memory of 1316 852 isve.exe Explorer.EXE PID 852 wrote to memory of 1316 852 isve.exe Explorer.EXE PID 852 wrote to memory of 1528 852 isve.exe citadel_1.2.0.0.vir.exe PID 852 wrote to memory of 1528 852 isve.exe citadel_1.2.0.0.vir.exe PID 852 wrote to memory of 1528 852 isve.exe citadel_1.2.0.0.vir.exe PID 852 wrote to memory of 1528 852 isve.exe citadel_1.2.0.0.vir.exe PID 852 wrote to memory of 1528 852 isve.exe citadel_1.2.0.0.vir.exe PID 852 wrote to memory of 1060 852 isve.exe WinMail.exe PID 852 wrote to memory of 1060 852 isve.exe WinMail.exe PID 852 wrote to memory of 1060 852 isve.exe WinMail.exe PID 852 wrote to memory of 1060 852 isve.exe WinMail.exe PID 852 wrote to memory of 1060 852 isve.exe WinMail.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 1528 wrote to memory of 760 1528 citadel_1.2.0.0.vir.exe cmd.exe PID 852 wrote to memory of 1576 852 isve.exe DllHost.exe PID 852 wrote to memory of 1576 852 isve.exe DllHost.exe PID 852 wrote to memory of 1576 852 isve.exe DllHost.exe PID 852 wrote to memory of 1576 852 isve.exe DllHost.exe PID 852 wrote to memory of 1576 852 isve.exe DllHost.exe PID 852 wrote to memory of 1976 852 isve.exe DllHost.exe PID 852 wrote to memory of 1976 852 isve.exe DllHost.exe PID 852 wrote to memory of 1976 852 isve.exe DllHost.exe PID 852 wrote to memory of 1976 852 isve.exe DllHost.exe PID 852 wrote to memory of 1976 852 isve.exe DllHost.exe PID 852 wrote to memory of 1260 852 isve.exe DllHost.exe PID 852 wrote to memory of 1260 852 isve.exe DllHost.exe PID 852 wrote to memory of 1260 852 isve.exe DllHost.exe PID 852 wrote to memory of 1260 852 isve.exe DllHost.exe PID 852 wrote to memory of 1260 852 isve.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
isve.exepid process 852 isve.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
isve.exepid process 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe 852 isve.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1060 WinMail.exe -
Processes:
citadel_1.2.0.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy citadel_1.2.0.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_1.2.0.0.vir.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06193513-00000001.eml:OECustomProperty WinMail.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe"C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5a22cb48.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5a22cb48.bat
-
C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe
-
C:\Users\Admin\AppData\Roaming\Ewekka\isve.exe
-
C:\Users\Admin\AppData\Roaming\Oswaw\liwao.qes
-
\Users\Admin\AppData\Roaming\Ewekka\isve.exe
-
\Users\Admin\AppData\Roaming\Ewekka\isve.exe
-
memory/760-27-0x000000000005FD20-mapping.dmp
-
memory/760-25-0x0000000000050000-0x0000000000080000-memory.dmpFilesize
192KB
-
memory/852-2-0x0000000000000000-mapping.dmp
-
memory/1060-17-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/1060-21-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1060-16-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1060-11-0x0000000003A50000-0x0000000003B50000-memory.dmpFilesize
1024KB
-
memory/1060-18-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1060-19-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1060-20-0x0000000003C50000-0x0000000003C52000-memory.dmpFilesize
8KB
-
memory/1060-15-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1060-22-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1060-23-0x0000000003C60000-0x0000000003C62000-memory.dmpFilesize
8KB
-
memory/1060-24-0x0000000003C70000-0x0000000003C72000-memory.dmpFilesize
8KB
-
memory/1060-10-0x0000000003950000-0x0000000003B50000-memory.dmpFilesize
2.0MB
-
memory/1060-9-0x0000000003950000-0x0000000003A50000-memory.dmpFilesize
1024KB
-
memory/1060-7-0x0000000003950000-0x0000000003B50000-memory.dmpFilesize
2.0MB
-
memory/1060-5-0x0000000003950000-0x0000000003A50000-memory.dmpFilesize
1024KB