Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.1.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_1.1.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_1.1.0.0.vir.exe
-
Size
401KB
-
MD5
5abefe1af6518c5daccbe0833b75858b
-
SHA1
0bc40dc4b0d380b42b2bfbd89eedfc9669be9367
-
SHA256
fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
-
SHA512
e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
citadel_1.1.0.0.vir.exeetfi.exepid process 2920 citadel_1.1.0.0.vir.exe 3840 etfi.exe -
Suspicious use of WriteProcessMemory 72 IoCs
Processes:
citadel_1.1.0.0.vir.execitadel_1.1.0.0.vir.exeetfi.exeetfi.exedescription pid process target process PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 2920 wrote to memory of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 3556 wrote to memory of 3840 3556 citadel_1.1.0.0.vir.exe etfi.exe PID 3556 wrote to memory of 3840 3556 citadel_1.1.0.0.vir.exe etfi.exe PID 3556 wrote to memory of 3840 3556 citadel_1.1.0.0.vir.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3840 wrote to memory of 3800 3840 etfi.exe etfi.exe PID 3556 wrote to memory of 3772 3556 citadel_1.1.0.0.vir.exe cmd.exe PID 3556 wrote to memory of 3772 3556 citadel_1.1.0.0.vir.exe cmd.exe PID 3556 wrote to memory of 3772 3556 citadel_1.1.0.0.vir.exe cmd.exe PID 3800 wrote to memory of 2784 3800 etfi.exe sihost.exe PID 3800 wrote to memory of 2784 3800 etfi.exe sihost.exe PID 3800 wrote to memory of 2784 3800 etfi.exe sihost.exe PID 3800 wrote to memory of 2784 3800 etfi.exe sihost.exe PID 3800 wrote to memory of 2784 3800 etfi.exe sihost.exe PID 3800 wrote to memory of 2796 3800 etfi.exe svchost.exe PID 3800 wrote to memory of 2796 3800 etfi.exe svchost.exe PID 3800 wrote to memory of 2796 3800 etfi.exe svchost.exe PID 3800 wrote to memory of 2796 3800 etfi.exe svchost.exe PID 3800 wrote to memory of 2796 3800 etfi.exe svchost.exe PID 3800 wrote to memory of 2848 3800 etfi.exe taskhostw.exe PID 3800 wrote to memory of 2848 3800 etfi.exe taskhostw.exe PID 3800 wrote to memory of 2848 3800 etfi.exe taskhostw.exe PID 3800 wrote to memory of 2848 3800 etfi.exe taskhostw.exe PID 3800 wrote to memory of 2848 3800 etfi.exe taskhostw.exe PID 3800 wrote to memory of 2992 3800 etfi.exe Explorer.EXE PID 3800 wrote to memory of 2992 3800 etfi.exe Explorer.EXE PID 3800 wrote to memory of 2992 3800 etfi.exe Explorer.EXE PID 3800 wrote to memory of 2992 3800 etfi.exe Explorer.EXE PID 3800 wrote to memory of 2992 3800 etfi.exe Explorer.EXE PID 3800 wrote to memory of 3136 3800 etfi.exe ShellExperienceHost.exe PID 3800 wrote to memory of 3136 3800 etfi.exe ShellExperienceHost.exe PID 3800 wrote to memory of 3136 3800 etfi.exe ShellExperienceHost.exe PID 3800 wrote to memory of 3136 3800 etfi.exe ShellExperienceHost.exe PID 3800 wrote to memory of 3136 3800 etfi.exe ShellExperienceHost.exe PID 3800 wrote to memory of 3148 3800 etfi.exe SearchUI.exe PID 3800 wrote to memory of 3148 3800 etfi.exe SearchUI.exe PID 3800 wrote to memory of 3148 3800 etfi.exe SearchUI.exe PID 3800 wrote to memory of 3148 3800 etfi.exe SearchUI.exe PID 3800 wrote to memory of 3148 3800 etfi.exe SearchUI.exe PID 3800 wrote to memory of 3360 3800 etfi.exe RuntimeBroker.exe PID 3800 wrote to memory of 3360 3800 etfi.exe RuntimeBroker.exe PID 3800 wrote to memory of 3360 3800 etfi.exe RuntimeBroker.exe PID 3800 wrote to memory of 3360 3800 etfi.exe RuntimeBroker.exe PID 3800 wrote to memory of 3360 3800 etfi.exe RuntimeBroker.exe PID 3800 wrote to memory of 3592 3800 etfi.exe DllHost.exe PID 3800 wrote to memory of 3592 3800 etfi.exe DllHost.exe PID 3800 wrote to memory of 3592 3800 etfi.exe DllHost.exe PID 3800 wrote to memory of 3592 3800 etfi.exe DllHost.exe PID 3800 wrote to memory of 3592 3800 etfi.exe DllHost.exe PID 3800 wrote to memory of 2552 3800 etfi.exe backgroundTaskHost.exe PID 3800 wrote to memory of 2552 3800 etfi.exe backgroundTaskHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
citadel_1.1.0.0.vir.exeetfi.exedescription pid process target process PID 2920 set thread context of 3556 2920 citadel_1.1.0.0.vir.exe citadel_1.1.0.0.vir.exe PID 3840 set thread context of 3800 3840 etfi.exe etfi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
citadel_1.1.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 3556 citadel_1.1.0.0.vir.exe Token: SeSecurityPrivilege 3556 citadel_1.1.0.0.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
etfi.exeetfi.exepid process 3840 etfi.exe 3800 etfi.exe -
Suspicious behavior: EnumeratesProcesses 146 IoCs
Processes:
etfi.exepid process 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe 3800 etfi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
etfi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Razequ = "C:\\Users\\Admin\\AppData\\Roaming\\Ecet\\etfi.exe" etfi.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run etfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run etfi.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
etfi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE etfi.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE etfi.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe昆㹠Ȝခ3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe"C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe昆㹠Ȟခ5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8d12196.bat"4⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe8d12196.bat
-
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe
-
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe
-
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe
-
memory/3556-2-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/3556-3-0x00000000004414D4-mapping.dmp
-
memory/3556-4-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/3772-14-0x0000000000000000-mapping.dmp
-
memory/3800-11-0x00000000004414D4-mapping.dmp
-
memory/3840-5-0x0000000000000000-mapping.dmp