Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.1.0.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
citadel_1.1.0.0.vir.exe
Resource
win10
General
-
Target
citadel_1.1.0.0.vir.exe
-
Size
401KB
-
MD5
5abefe1af6518c5daccbe0833b75858b
-
SHA1
0bc40dc4b0d380b42b2bfbd89eedfc9669be9367
-
SHA256
fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
-
SHA512
e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 101 IoCs
Processes:
citadel_1.1.0.0.vir.execitadel_1.1.0.0.vir.exeonizy.exeonizy.exedescription pid process target process PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 316 wrote to memory of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 1428 wrote to memory of 868 1428 citadel_1.1.0.0.vir.exe onizy.exe PID 1428 wrote to memory of 868 1428 citadel_1.1.0.0.vir.exe onizy.exe PID 1428 wrote to memory of 868 1428 citadel_1.1.0.0.vir.exe onizy.exe PID 1428 wrote to memory of 868 1428 citadel_1.1.0.0.vir.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 868 wrote to memory of 756 868 onizy.exe onizy.exe PID 1428 wrote to memory of 1060 1428 citadel_1.1.0.0.vir.exe cmd.exe PID 1428 wrote to memory of 1060 1428 citadel_1.1.0.0.vir.exe cmd.exe PID 1428 wrote to memory of 1060 1428 citadel_1.1.0.0.vir.exe cmd.exe PID 1428 wrote to memory of 1060 1428 citadel_1.1.0.0.vir.exe cmd.exe PID 756 wrote to memory of 1152 756 onizy.exe taskhost.exe PID 756 wrote to memory of 1152 756 onizy.exe taskhost.exe PID 756 wrote to memory of 1152 756 onizy.exe taskhost.exe PID 756 wrote to memory of 1152 756 onizy.exe taskhost.exe PID 756 wrote to memory of 1152 756 onizy.exe taskhost.exe PID 756 wrote to memory of 1232 756 onizy.exe Dwm.exe PID 756 wrote to memory of 1232 756 onizy.exe Dwm.exe PID 756 wrote to memory of 1232 756 onizy.exe Dwm.exe PID 756 wrote to memory of 1232 756 onizy.exe Dwm.exe PID 756 wrote to memory of 1232 756 onizy.exe Dwm.exe PID 756 wrote to memory of 1296 756 onizy.exe Explorer.EXE PID 756 wrote to memory of 1296 756 onizy.exe Explorer.EXE PID 756 wrote to memory of 1296 756 onizy.exe Explorer.EXE PID 756 wrote to memory of 1296 756 onizy.exe Explorer.EXE PID 756 wrote to memory of 1296 756 onizy.exe Explorer.EXE PID 756 wrote to memory of 1212 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1212 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1212 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1212 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1212 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1668 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1668 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1668 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1668 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1668 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1936 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1936 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1936 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1936 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1936 756 onizy.exe DllHost.exe PID 756 wrote to memory of 2000 756 onizy.exe DllHost.exe PID 756 wrote to memory of 2000 756 onizy.exe DllHost.exe PID 756 wrote to memory of 2000 756 onizy.exe DllHost.exe PID 756 wrote to memory of 2000 756 onizy.exe DllHost.exe PID 756 wrote to memory of 2000 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1476 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1476 756 onizy.exe DllHost.exe PID 756 wrote to memory of 1476 756 onizy.exe DllHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
citadel_1.1.0.0.vir.exeonizy.exedescription pid process target process PID 316 set thread context of 1428 316 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 868 set thread context of 756 868 onizy.exe onizy.exe -
Executes dropped EXE 2 IoCs
Processes:
onizy.exeonizy.exepid process 868 onizy.exe 756 onizy.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
onizy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE onizy.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE onizy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
citadel_1.1.0.0.vir.exeonizy.exepid process 316 citadel_1.1.0.0.vir.exe 868 onizy.exe -
Loads dropped DLL 2 IoCs
Processes:
citadel_1.1.0.0.vir.exepid process 1428 citadel_1.1.0.0.vir.exe 1428 citadel_1.1.0.0.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1060 cmd.exe -
Suspicious behavior: EnumeratesProcesses 83 IoCs
Processes:
onizy.exepid process 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe 756 onizy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
onizy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run onizy.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run onizy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Huotoqinno = "C:\\Users\\Admin\\AppData\\Roaming\\Alev\\onizy.exe" onizy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
citadel_1.1.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 1428 citadel_1.1.0.0.vir.exe Token: SeSecurityPrivilege 1428 citadel_1.1.0.0.vir.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe犚䁸Ɍခ3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Alev\onizy.exe"C:\Users\Admin\AppData\Roaming\Alev\onizy.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Alev\onizy.exe犚䁸ǔခ5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd0243150.bat"4⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpd0243150.bat
-
C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
-
C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
-
C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
-
\Users\Admin\AppData\Roaming\Alev\onizy.exe
-
\Users\Admin\AppData\Roaming\Alev\onizy.exe
-
memory/316-6-0x0000000002610000-0x0000000002614000-memory.dmpFilesize
16KB
-
memory/316-5-0x0000000000230000-0x0000000000234000-memory.dmpFilesize
16KB
-
memory/756-15-0x00000000004414D4-mapping.dmp
-
memory/868-9-0x0000000000000000-mapping.dmp
-
memory/868-17-0x0000000001CA0000-0x0000000001CA4000-memory.dmpFilesize
16KB
-
memory/868-19-0x00000000026A0000-0x00000000026A4000-memory.dmpFilesize
16KB
-
memory/1060-20-0x0000000000000000-mapping.dmp
-
memory/1428-3-0x00000000004414D4-mapping.dmp
-
memory/1428-4-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1428-2-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB