Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:31
Static task
static1
Behavioral task
behavioral1
Sample
citadel_0.0.1.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_0.0.1.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_0.0.1.1.vir.exe
-
Size
544KB
-
MD5
fb340f7a5dbb81b63198d0637b94fa13
-
SHA1
c73fec0e884dd8c0605257adcec1ab1153175455
-
SHA256
76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
-
SHA512
b8686134589b689f1866506b2d5da01eb2621aa20257ae229300897d15de5e1beaf1b69e120368371e8e124e3da044c2af82056255274f42e0fa4c28fd2dee27
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1413 IoCs
Processes:
citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exedescription pid process Token: SeDebugPrivilege 4032 citadel_0.0.1.1.vir.exe Token: SeSecurityPrivilege 1880 citadel_0.0.1.1.vir.exe Token: SeSecurityPrivilege 1880 citadel_0.0.1.1.vir.exe Token: SeSecurityPrivilege 1880 citadel_0.0.1.1.vir.exe Token: SeSecurityPrivilege 1880 citadel_0.0.1.1.vir.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe Token: SeSecurityPrivilege 3692 analraulosg.exe -
Suspicious behavior: EnumeratesProcesses 72 IoCs
Processes:
citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exepid process 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 4032 citadel_0.0.1.1.vir.exe 1880 citadel_0.0.1.1.vir.exe 1880 citadel_0.0.1.1.vir.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe 3692 analraulosg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
citadel_0.0.1.1.vir.exeanalraulosg.exedescription pid process target process PID 4032 set thread context of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 504 set thread context of 3692 504 analraulosg.exe analraulosg.exe -
Loads dropped DLL 4 IoCs
Processes:
citadel_0.0.1.1.vir.exeanalraulosg.exepid process 1880 citadel_0.0.1.1.vir.exe 1880 citadel_0.0.1.1.vir.exe 3692 analraulosg.exe 3692 analraulosg.exe -
Executes dropped EXE 2 IoCs
Processes:
analraulosg.exeanalraulosg.exepid process 504 analraulosg.exe 3692 analraulosg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
analraulosg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run analraulosg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run analraulosg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Keciekala = "C:\\Users\\Admin\\AppData\\Roaming\\Ezfiagyp\\analraulosg.exe" analraulosg.exe -
Suspicious use of WriteProcessMemory 79 IoCs
Processes:
citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exeanalraulosg.exedescription pid process target process PID 4032 wrote to memory of 3876 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3876 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3876 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3996 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3996 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3996 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 4028 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 4028 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 4028 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3856 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3856 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 3856 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 4032 wrote to memory of 1880 4032 citadel_0.0.1.1.vir.exe citadel_0.0.1.1.vir.exe PID 1880 wrote to memory of 504 1880 citadel_0.0.1.1.vir.exe analraulosg.exe PID 1880 wrote to memory of 504 1880 citadel_0.0.1.1.vir.exe analraulosg.exe PID 1880 wrote to memory of 504 1880 citadel_0.0.1.1.vir.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 504 wrote to memory of 3692 504 analraulosg.exe analraulosg.exe PID 1880 wrote to memory of 3796 1880 citadel_0.0.1.1.vir.exe cmd.exe PID 1880 wrote to memory of 3796 1880 citadel_0.0.1.1.vir.exe cmd.exe PID 1880 wrote to memory of 3796 1880 citadel_0.0.1.1.vir.exe cmd.exe PID 3692 wrote to memory of 2668 3692 analraulosg.exe sihost.exe PID 3692 wrote to memory of 2668 3692 analraulosg.exe sihost.exe PID 3692 wrote to memory of 2668 3692 analraulosg.exe sihost.exe PID 3692 wrote to memory of 2668 3692 analraulosg.exe sihost.exe PID 3692 wrote to memory of 2668 3692 analraulosg.exe sihost.exe PID 3692 wrote to memory of 2680 3692 analraulosg.exe svchost.exe PID 3692 wrote to memory of 2680 3692 analraulosg.exe svchost.exe PID 3692 wrote to memory of 2680 3692 analraulosg.exe svchost.exe PID 3692 wrote to memory of 2680 3692 analraulosg.exe svchost.exe PID 3692 wrote to memory of 2680 3692 analraulosg.exe svchost.exe PID 3692 wrote to memory of 2784 3692 analraulosg.exe taskhostw.exe PID 3692 wrote to memory of 2784 3692 analraulosg.exe taskhostw.exe PID 3692 wrote to memory of 2784 3692 analraulosg.exe taskhostw.exe PID 3692 wrote to memory of 2784 3692 analraulosg.exe taskhostw.exe PID 3692 wrote to memory of 2784 3692 analraulosg.exe taskhostw.exe PID 3692 wrote to memory of 2984 3692 analraulosg.exe Explorer.EXE PID 3692 wrote to memory of 2984 3692 analraulosg.exe Explorer.EXE PID 3692 wrote to memory of 2984 3692 analraulosg.exe Explorer.EXE PID 3692 wrote to memory of 2984 3692 analraulosg.exe Explorer.EXE PID 3692 wrote to memory of 2984 3692 analraulosg.exe Explorer.EXE PID 3692 wrote to memory of 3140 3692 analraulosg.exe ShellExperienceHost.exe PID 3692 wrote to memory of 3140 3692 analraulosg.exe ShellExperienceHost.exe PID 3692 wrote to memory of 3140 3692 analraulosg.exe ShellExperienceHost.exe PID 3692 wrote to memory of 3140 3692 analraulosg.exe ShellExperienceHost.exe PID 3692 wrote to memory of 3140 3692 analraulosg.exe ShellExperienceHost.exe PID 3692 wrote to memory of 3156 3692 analraulosg.exe SearchUI.exe PID 3692 wrote to memory of 3156 3692 analraulosg.exe SearchUI.exe PID 3692 wrote to memory of 3156 3692 analraulosg.exe SearchUI.exe PID 3692 wrote to memory of 3156 3692 analraulosg.exe SearchUI.exe PID 3692 wrote to memory of 3156 3692 analraulosg.exe SearchUI.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5d881c3.bat"4⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpc5d881c3.bat
-
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe
-
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe
-
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe
-
\Users\Admin\AppData\Local\Temp\tmp1CBA.tmp
-
\Users\Admin\AppData\Local\Temp\tmp1CCB.tmp
-
\Users\Admin\AppData\Local\Temp\tmpD88.tmp
-
\Users\Admin\AppData\Local\Temp\tmpD98.tmp
-
memory/504-5-0x0000000000000000-mapping.dmp
-
memory/1880-1-0x000000000043F4D4-mapping.dmp
-
memory/1880-2-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1880-0-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3692-9-0x000000000043F4D4-mapping.dmp
-
memory/3796-12-0x0000000000000000-mapping.dmp