fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d

General

Target

citadel_1.1.0.0.vir.exe
Size

401KB
MD5

5abefe1af6518c5daccbe0833b75858b
SHA1

0bc40dc4b0d380b42b2bfbd89eedfc9669be9367
SHA256

fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
SHA512

e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f

Score

8^/10

persistence evasion

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

citadel_1.1.0.0.vir.exeetfi.exe

pid process

2920 citadel_1.1.0.0.vir.exe
3840 etfi.exe

pid	process
2920	citadel_1.1.0.0.vir.exe
3840	etfi.exe

Suspicious use of WriteProcessMemory 72 IoCs

Processes:

citadel_1.1.0.0.vir.execitadel_1.1.0.0.vir.exeetfi.exeetfi.exe

description	pid	process	target process
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 2920 wrote to memory of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 3556 wrote to memory of 3840	3556	citadel_1.1.0.0.vir.exe	etfi.exe
PID 3556 wrote to memory of 3840	3556	citadel_1.1.0.0.vir.exe	etfi.exe
PID 3556 wrote to memory of 3840	3556	citadel_1.1.0.0.vir.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3840 wrote to memory of 3800	3840	etfi.exe	etfi.exe
PID 3556 wrote to memory of 3772	3556	citadel_1.1.0.0.vir.exe	cmd.exe
PID 3556 wrote to memory of 3772	3556	citadel_1.1.0.0.vir.exe	cmd.exe
PID 3556 wrote to memory of 3772	3556	citadel_1.1.0.0.vir.exe	cmd.exe
PID 3800 wrote to memory of 2784	3800	etfi.exe	sihost.exe
PID 3800 wrote to memory of 2784	3800	etfi.exe	sihost.exe
PID 3800 wrote to memory of 2784	3800	etfi.exe	sihost.exe
PID 3800 wrote to memory of 2784	3800	etfi.exe	sihost.exe
PID 3800 wrote to memory of 2784	3800	etfi.exe	sihost.exe
PID 3800 wrote to memory of 2796	3800	etfi.exe	svchost.exe
PID 3800 wrote to memory of 2796	3800	etfi.exe	svchost.exe
PID 3800 wrote to memory of 2796	3800	etfi.exe	svchost.exe
PID 3800 wrote to memory of 2796	3800	etfi.exe	svchost.exe
PID 3800 wrote to memory of 2796	3800	etfi.exe	svchost.exe
PID 3800 wrote to memory of 2848	3800	etfi.exe	taskhostw.exe
PID 3800 wrote to memory of 2848	3800	etfi.exe	taskhostw.exe
PID 3800 wrote to memory of 2848	3800	etfi.exe	taskhostw.exe
PID 3800 wrote to memory of 2848	3800	etfi.exe	taskhostw.exe
PID 3800 wrote to memory of 2848	3800	etfi.exe	taskhostw.exe
PID 3800 wrote to memory of 2992	3800	etfi.exe	Explorer.EXE
PID 3800 wrote to memory of 2992	3800	etfi.exe	Explorer.EXE
PID 3800 wrote to memory of 2992	3800	etfi.exe	Explorer.EXE
PID 3800 wrote to memory of 2992	3800	etfi.exe	Explorer.EXE
PID 3800 wrote to memory of 2992	3800	etfi.exe	Explorer.EXE
PID 3800 wrote to memory of 3136	3800	etfi.exe	ShellExperienceHost.exe
PID 3800 wrote to memory of 3136	3800	etfi.exe	ShellExperienceHost.exe
PID 3800 wrote to memory of 3136	3800	etfi.exe	ShellExperienceHost.exe
PID 3800 wrote to memory of 3136	3800	etfi.exe	ShellExperienceHost.exe
PID 3800 wrote to memory of 3136	3800	etfi.exe	ShellExperienceHost.exe
PID 3800 wrote to memory of 3148	3800	etfi.exe	SearchUI.exe
PID 3800 wrote to memory of 3148	3800	etfi.exe	SearchUI.exe
PID 3800 wrote to memory of 3148	3800	etfi.exe	SearchUI.exe
PID 3800 wrote to memory of 3148	3800	etfi.exe	SearchUI.exe
PID 3800 wrote to memory of 3148	3800	etfi.exe	SearchUI.exe
PID 3800 wrote to memory of 3360	3800	etfi.exe	RuntimeBroker.exe
PID 3800 wrote to memory of 3360	3800	etfi.exe	RuntimeBroker.exe
PID 3800 wrote to memory of 3360	3800	etfi.exe	RuntimeBroker.exe
PID 3800 wrote to memory of 3360	3800	etfi.exe	RuntimeBroker.exe
PID 3800 wrote to memory of 3360	3800	etfi.exe	RuntimeBroker.exe
PID 3800 wrote to memory of 3592	3800	etfi.exe	DllHost.exe
PID 3800 wrote to memory of 3592	3800	etfi.exe	DllHost.exe
PID 3800 wrote to memory of 3592	3800	etfi.exe	DllHost.exe
PID 3800 wrote to memory of 3592	3800	etfi.exe	DllHost.exe
PID 3800 wrote to memory of 3592	3800	etfi.exe	DllHost.exe
PID 3800 wrote to memory of 2552	3800	etfi.exe	backgroundTaskHost.exe
PID 3800 wrote to memory of 2552	3800	etfi.exe	backgroundTaskHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

citadel_1.1.0.0.vir.exeetfi.exe

description	pid	process	target process
PID 2920 set thread context of 3556	2920	citadel_1.1.0.0.vir.exe	citadel_1.1.0.0.vir.exe
PID 3840 set thread context of 3800	3840	etfi.exe	etfi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

citadel_1.1.0.0.vir.exe

description pid process

Token: SeSecurityPrivilege 3556 citadel_1.1.0.0.vir.exe
Token: SeSecurityPrivilege 3556 citadel_1.1.0.0.vir.exe
Executes dropped EXE 2 IoCs

Processes:

etfi.exeetfi.exe

pid process

3840 etfi.exe
3800 etfi.exe

description	pid	process
Token: SeSecurityPrivilege	3556	citadel_1.1.0.0.vir.exe
Token: SeSecurityPrivilege	3556	citadel_1.1.0.0.vir.exe

pid	process
3840	etfi.exe
3800	etfi.exe

Suspicious behavior: EnumeratesProcesses 146 IoCs

Processes:

etfi.exe

pid	process
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe
3800	etfi.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

etfi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Razequ = "C:\\Users\\Admin\\AppData\\Roaming\\Ecet\\etfi.exe"	etfi.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run	etfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	etfi.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

etfi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	etfi.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\WINE	etfi.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2796

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2920

C:\Users\Admin\AppData\Local\Temp\citadel_1.1.0.0.vir.exe
昆㹠Ȝခ
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe
"C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe
昆㹠Ȟခ
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Identifies Wine through registry keys
PID:3800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8d12196.bat"
4⤵
PID:3772

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3136

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3592

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:2552

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe8d12196.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ecet\etfi.exe

Download Submit
memory/3556-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3556-3-0x00000000004414D4-mapping.dmp

Download
memory/3556-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3772-14-0x0000000000000000-mapping.dmp

Download
memory/3800-11-0x00000000004414D4-mapping.dmp

Download
memory/3840-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads