Overview

overview

8

Static

static

citadel_1....ir.exe

windows7_x64

8

citadel_1....ir.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    citadel_1.1.0.0.vir.exe

  • Size

    401KB

  • MD5

    5abefe1af6518c5daccbe0833b75858b

  • SHA1

    0bc40dc4b0d380b42b2bfbd89eedfc9669be9367

  • SHA256

    fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d

  • SHA512

    e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 101 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 83 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1152
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1232
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1296
          • C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:316
            • C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe
              犚䁸Ɍခ
              3⤵
              • Suspicious use of WriteProcessMemory
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1428
              • C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
                "C:\Users\Admin\AppData\Roaming\Alev\onizy.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                • Suspicious use of SetThreadContext
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:868
                • C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
                  犚䁸ǔခ
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious behavior: EnumeratesProcesses
                  • Adds Run key to start application
                  PID:756
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd0243150.bat"
                4⤵
                • Deletes itself
                PID:1060
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1212
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1668
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1936
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:2000
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:1476
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                      PID:332
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                      1⤵
                        PID:1220
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                        1⤵
                          PID:1684
                        • C:\Windows\system32\DllHost.exe
                          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                          1⤵
                            PID:1912
                          • C:\Windows\system32\DllHost.exe
                            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                            1⤵
                              PID:1976
                            • C:\Windows\system32\DllHost.exe
                              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                              1⤵
                                PID:1492
                              • C:\Windows\system32\DllHost.exe
                                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                1⤵
                                  PID:616

                                Network

                                MITRE ATT&CK Matrix ATT&CK v6

                                Initial Access

                                Execution

                                Persistence

                                Registry Run Keys / Startup Folder

                                1
                                T1060

                                Privilege Escalation

                                Defense Evasion

                                Virtualization/Sandbox Evasion

                                1
                                T1497

                                Modify Registry

                                1
                                T1112

                                Credential Access

                                Discovery

                                Query Registry

                                1
                                T1012

                                Virtualization/Sandbox Evasion

                                1
                                T1497

                                Lateral Movement

                                Collection

                                Exfiltration

                                Command and Control

                                Impact

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\tmpd0243150.bat
                                  Download Submit
                                • C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
                                  Download Submit
                                • C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
                                  Download Submit
                                • C:\Users\Admin\AppData\Roaming\Alev\onizy.exe
                                  Download Submit
                                • \Users\Admin\AppData\Roaming\Alev\onizy.exe
                                  Download Submit
                                • \Users\Admin\AppData\Roaming\Alev\onizy.exe
                                  Download Submit
                                • memory/316-6-0x0000000002610000-0x0000000002614000-memory.dmp
                                  Filesize

                                  16KB

                                  Download
                                • memory/316-5-0x0000000000230000-0x0000000000234000-memory.dmp
                                  Filesize

                                  16KB

                                  Download
                                • memory/756-15-0x00000000004414D4-mapping.dmp
                                  Download
                                • memory/868-9-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/868-17-0x0000000001CA0000-0x0000000001CA4000-memory.dmp
                                  Filesize

                                  16KB

                                  Download
                                • memory/868-19-0x00000000026A0000-0x00000000026A4000-memory.dmp
                                  Filesize

                                  16KB

                                  Download
                                • memory/1060-20-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1428-3-0x00000000004414D4-mapping.dmp
                                  Download
                                • memory/1428-4-0x0000000000400000-0x0000000000449000-memory.dmp
                                  Filesize

                                  292KB

                                  Download
                                • memory/1428-2-0x0000000000400000-0x0000000000449000-memory.dmp
                                  Filesize

                                  292KB

                                  Download