76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487

General

Target

citadel_0.0.1.1.vir.exe
Size

544KB
MD5

fb340f7a5dbb81b63198d0637b94fa13
SHA1

c73fec0e884dd8c0605257adcec1ab1153175455
SHA256

76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
SHA512

b8686134589b689f1866506b2d5da01eb2621aa20257ae229300897d15de5e1beaf1b69e120368371e8e124e3da044c2af82056255274f42e0fa4c28fd2dee27

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1413 IoCs

Processes:

citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exe

description	pid	process
Token: SeDebugPrivilege	4032	citadel_0.0.1.1.vir.exe
Token: SeSecurityPrivilege	1880	citadel_0.0.1.1.vir.exe
Token: SeSecurityPrivilege	1880	citadel_0.0.1.1.vir.exe
Token: SeSecurityPrivilege	1880	citadel_0.0.1.1.vir.exe
Token: SeSecurityPrivilege	1880	citadel_0.0.1.1.vir.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe
Token: SeSecurityPrivilege	3692	analraulosg.exe

Suspicious behavior: EnumeratesProcesses 72 IoCs

Processes:

citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exe

pid	process
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
4032	citadel_0.0.1.1.vir.exe
1880	citadel_0.0.1.1.vir.exe
1880	citadel_0.0.1.1.vir.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe
3692	analraulosg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

citadel_0.0.1.1.vir.exeanalraulosg.exe

description	pid	process	target process
PID 4032 set thread context of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 504 set thread context of 3692	504	analraulosg.exe	analraulosg.exe

Loads dropped DLL 4 IoCs

Processes:

citadel_0.0.1.1.vir.exeanalraulosg.exe

pid process

1880 citadel_0.0.1.1.vir.exe
1880 citadel_0.0.1.1.vir.exe
3692 analraulosg.exe
3692 analraulosg.exe
Executes dropped EXE 2 IoCs

Processes:

analraulosg.exeanalraulosg.exe

pid process

504 analraulosg.exe
3692 analraulosg.exe

pid	process
1880	citadel_0.0.1.1.vir.exe
1880	citadel_0.0.1.1.vir.exe
3692	analraulosg.exe
3692	analraulosg.exe

pid	process
504	analraulosg.exe
3692	analraulosg.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

analraulosg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	analraulosg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run	analraulosg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Keciekala = "C:\\Users\\Admin\\AppData\\Roaming\\Ezfiagyp\\analraulosg.exe"	analraulosg.exe

Suspicious use of WriteProcessMemory 79 IoCs

Processes:

citadel_0.0.1.1.vir.execitadel_0.0.1.1.vir.exeanalraulosg.exeanalraulosg.exe

description	pid	process	target process
PID 4032 wrote to memory of 3876	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3876	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3876	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3996	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3996	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3996	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 4028	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 4028	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 4028	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3856	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3856	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 3856	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 4032 wrote to memory of 1880	4032	citadel_0.0.1.1.vir.exe	citadel_0.0.1.1.vir.exe
PID 1880 wrote to memory of 504	1880	citadel_0.0.1.1.vir.exe	analraulosg.exe
PID 1880 wrote to memory of 504	1880	citadel_0.0.1.1.vir.exe	analraulosg.exe
PID 1880 wrote to memory of 504	1880	citadel_0.0.1.1.vir.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 504 wrote to memory of 3692	504	analraulosg.exe	analraulosg.exe
PID 1880 wrote to memory of 3796	1880	citadel_0.0.1.1.vir.exe	cmd.exe
PID 1880 wrote to memory of 3796	1880	citadel_0.0.1.1.vir.exe	cmd.exe
PID 1880 wrote to memory of 3796	1880	citadel_0.0.1.1.vir.exe	cmd.exe
PID 3692 wrote to memory of 2668	3692	analraulosg.exe	sihost.exe
PID 3692 wrote to memory of 2668	3692	analraulosg.exe	sihost.exe
PID 3692 wrote to memory of 2668	3692	analraulosg.exe	sihost.exe
PID 3692 wrote to memory of 2668	3692	analraulosg.exe	sihost.exe
PID 3692 wrote to memory of 2668	3692	analraulosg.exe	sihost.exe
PID 3692 wrote to memory of 2680	3692	analraulosg.exe	svchost.exe
PID 3692 wrote to memory of 2680	3692	analraulosg.exe	svchost.exe
PID 3692 wrote to memory of 2680	3692	analraulosg.exe	svchost.exe
PID 3692 wrote to memory of 2680	3692	analraulosg.exe	svchost.exe
PID 3692 wrote to memory of 2680	3692	analraulosg.exe	svchost.exe
PID 3692 wrote to memory of 2784	3692	analraulosg.exe	taskhostw.exe
PID 3692 wrote to memory of 2784	3692	analraulosg.exe	taskhostw.exe
PID 3692 wrote to memory of 2784	3692	analraulosg.exe	taskhostw.exe
PID 3692 wrote to memory of 2784	3692	analraulosg.exe	taskhostw.exe
PID 3692 wrote to memory of 2784	3692	analraulosg.exe	taskhostw.exe
PID 3692 wrote to memory of 2984	3692	analraulosg.exe	Explorer.EXE
PID 3692 wrote to memory of 2984	3692	analraulosg.exe	Explorer.EXE
PID 3692 wrote to memory of 2984	3692	analraulosg.exe	Explorer.EXE
PID 3692 wrote to memory of 2984	3692	analraulosg.exe	Explorer.EXE
PID 3692 wrote to memory of 2984	3692	analraulosg.exe	Explorer.EXE
PID 3692 wrote to memory of 3140	3692	analraulosg.exe	ShellExperienceHost.exe
PID 3692 wrote to memory of 3140	3692	analraulosg.exe	ShellExperienceHost.exe
PID 3692 wrote to memory of 3140	3692	analraulosg.exe	ShellExperienceHost.exe
PID 3692 wrote to memory of 3140	3692	analraulosg.exe	ShellExperienceHost.exe
PID 3692 wrote to memory of 3140	3692	analraulosg.exe	ShellExperienceHost.exe
PID 3692 wrote to memory of 3156	3692	analraulosg.exe	SearchUI.exe
PID 3692 wrote to memory of 3156	3692	analraulosg.exe	SearchUI.exe
PID 3692 wrote to memory of 3156	3692	analraulosg.exe	SearchUI.exe
PID 3692 wrote to memory of 3156	3692	analraulosg.exe	SearchUI.exe
PID 3692 wrote to memory of 3156	3692	analraulosg.exe	SearchUI.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2680

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
3⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
3⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
3⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
3⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.1.vir.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe
"C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"
4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe
"C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5d881c3.bat"
4⤵
PID:3796

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3156

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3700

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc5d881c3.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ezfiagyp\analraulosg.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1CBA.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1CCB.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD88.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD98.tmp

Download Submit
memory/504-5-0x0000000000000000-mapping.dmp

Download
memory/1880-1-0x000000000043F4D4-mapping.dmp

Download
memory/1880-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1880-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3692-9-0x000000000043F4D4-mapping.dmp

Download
memory/3796-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads