Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:48
Static task
static1
Behavioral task
behavioral1
Sample
citadel_3.1.0.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
citadel_3.1.0.0.vir.exe
Resource
win10
General
-
Target
citadel_3.1.0.0.vir.exe
-
Size
307KB
-
MD5
3d3ef329a4d920735fbc6c56d2a15691
-
SHA1
74c7c9c8470ea55c04ee3c7fe168793ee32d4686
-
SHA256
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
-
SHA512
0e2d88ef2f8f8d1a65f63473e89c345cb73630efa5c717e7a8f721ae8703077d651ee66ee4756c4a4d6e6e1a007c6246b007c20689be195763353bcb7654c9ed
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
citadel_3.1.0.0.vir.exeycwei.exedescription pid process target process PID 316 wrote to memory of 1440 316 citadel_3.1.0.0.vir.exe ycwei.exe PID 316 wrote to memory of 1440 316 citadel_3.1.0.0.vir.exe ycwei.exe PID 316 wrote to memory of 1440 316 citadel_3.1.0.0.vir.exe ycwei.exe PID 316 wrote to memory of 1440 316 citadel_3.1.0.0.vir.exe ycwei.exe PID 1440 wrote to memory of 1152 1440 ycwei.exe taskhost.exe PID 1440 wrote to memory of 1152 1440 ycwei.exe taskhost.exe PID 1440 wrote to memory of 1152 1440 ycwei.exe taskhost.exe PID 1440 wrote to memory of 1152 1440 ycwei.exe taskhost.exe PID 1440 wrote to memory of 1152 1440 ycwei.exe taskhost.exe PID 1440 wrote to memory of 1232 1440 ycwei.exe Dwm.exe PID 1440 wrote to memory of 1232 1440 ycwei.exe Dwm.exe PID 1440 wrote to memory of 1232 1440 ycwei.exe Dwm.exe PID 1440 wrote to memory of 1232 1440 ycwei.exe Dwm.exe PID 1440 wrote to memory of 1232 1440 ycwei.exe Dwm.exe PID 1440 wrote to memory of 1296 1440 ycwei.exe Explorer.EXE PID 1440 wrote to memory of 1296 1440 ycwei.exe Explorer.EXE PID 1440 wrote to memory of 1296 1440 ycwei.exe Explorer.EXE PID 1440 wrote to memory of 1296 1440 ycwei.exe Explorer.EXE PID 1440 wrote to memory of 1296 1440 ycwei.exe Explorer.EXE PID 1440 wrote to memory of 316 1440 ycwei.exe citadel_3.1.0.0.vir.exe PID 1440 wrote to memory of 316 1440 ycwei.exe citadel_3.1.0.0.vir.exe PID 1440 wrote to memory of 316 1440 ycwei.exe citadel_3.1.0.0.vir.exe PID 1440 wrote to memory of 316 1440 ycwei.exe citadel_3.1.0.0.vir.exe PID 1440 wrote to memory of 316 1440 ycwei.exe citadel_3.1.0.0.vir.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 316 wrote to memory of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe PID 1440 wrote to memory of 1128 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1128 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1128 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1128 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1128 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1532 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1532 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1532 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1532 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1532 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1720 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1720 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1720 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1720 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1720 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1712 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1712 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1712 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1712 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1712 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1908 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1908 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1908 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1908 1440 ycwei.exe DllHost.exe PID 1440 wrote to memory of 1908 1440 ycwei.exe DllHost.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
WinMail.exepid process 304 WinMail.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 1 IoCs
Processes:
citadel_3.1.0.0.vir.exepid process 316 citadel_3.1.0.0.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
ycwei.exepid process 1440 ycwei.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WinMail.exepid process 304 WinMail.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1C6F419D-00000001.eml:OECustomProperty WinMail.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
citadel_3.1.0.0.vir.exeWinMail.exedescription pid process Token: SeSecurityPrivilege 316 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 316 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 316 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 316 citadel_3.1.0.0.vir.exe Token: SeManageVolumePrivilege 304 WinMail.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
ycwei.exepid process 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe 1440 ycwei.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_3.1.0.0.vir.exedescription pid process target process PID 316 set thread context of 2024 316 citadel_3.1.0.0.vir.exe cmd.exe -
Processes:
citadel_3.1.0.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy citadel_3.1.0.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_3.1.0.0.vir.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 304 WinMail.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ycwei.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE ycwei.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE ycwei.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ycwei.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run ycwei.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pukuov = "C:\\Users\\Admin\\AppData\\Roaming\\Siubdy\\ycwei.exe" ycwei.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Siubdy\ycwei.exe"C:\Users\Admin\AppData\Roaming\Siubdy\ycwei.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdbea69d1.bat"3⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpdbea69d1.bat
-
C:\Users\Admin\AppData\Roaming\Gukyeg\kyebl.sye
-
C:\Users\Admin\AppData\Roaming\Siubdy\ycwei.exe
-
C:\Users\Admin\AppData\Roaming\Siubdy\ycwei.exe
-
\Users\Admin\AppData\Roaming\Siubdy\ycwei.exe
-
memory/304-4-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/304-6-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/304-8-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/304-9-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/304-10-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/304-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/304-15-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/304-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/304-17-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/304-18-0x0000000004080000-0x0000000004082000-memory.dmpFilesize
8KB
-
memory/304-19-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/304-20-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/304-21-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/304-22-0x0000000003D00000-0x0000000003D02000-memory.dmpFilesize
8KB
-
memory/304-23-0x0000000003EC0000-0x0000000003EC2000-memory.dmpFilesize
8KB
-
memory/304-24-0x0000000003CF0000-0x0000000003CF2000-memory.dmpFilesize
8KB
-
memory/304-25-0x0000000004090000-0x0000000004092000-memory.dmpFilesize
8KB
-
memory/304-26-0x0000000003CA0000-0x0000000003CA2000-memory.dmpFilesize
8KB
-
memory/304-27-0x0000000003D10000-0x0000000003D12000-memory.dmpFilesize
8KB
-
memory/304-28-0x0000000004180000-0x0000000004182000-memory.dmpFilesize
8KB
-
memory/304-29-0x00000000044D0000-0x00000000044D2000-memory.dmpFilesize
8KB
-
memory/304-30-0x00000000044E0000-0x00000000044E2000-memory.dmpFilesize
8KB
-
memory/304-31-0x00000000044F0000-0x00000000044F2000-memory.dmpFilesize
8KB
-
memory/304-32-0x0000000004A50000-0x0000000004A52000-memory.dmpFilesize
8KB
-
memory/304-33-0x0000000004AF0000-0x0000000004AF2000-memory.dmpFilesize
8KB
-
memory/304-34-0x0000000004B50000-0x0000000004B52000-memory.dmpFilesize
8KB
-
memory/304-35-0x0000000004B80000-0x0000000004B82000-memory.dmpFilesize
8KB
-
memory/304-36-0x0000000004B40000-0x0000000004B42000-memory.dmpFilesize
8KB
-
memory/304-37-0x0000000004B90000-0x0000000004B92000-memory.dmpFilesize
8KB
-
memory/304-38-0x0000000004B30000-0x0000000004B32000-memory.dmpFilesize
8KB
-
memory/304-39-0x0000000004BA0000-0x0000000004BA2000-memory.dmpFilesize
8KB
-
memory/304-40-0x0000000004B20000-0x0000000004B22000-memory.dmpFilesize
8KB
-
memory/304-41-0x0000000004C30000-0x0000000004C32000-memory.dmpFilesize
8KB
-
memory/304-42-0x0000000004B10000-0x0000000004B12000-memory.dmpFilesize
8KB
-
memory/304-43-0x0000000003EB0000-0x0000000003EB2000-memory.dmpFilesize
8KB
-
memory/304-44-0x0000000003BE0000-0x0000000003BE2000-memory.dmpFilesize
8KB
-
memory/304-45-0x0000000005860000-0x0000000005862000-memory.dmpFilesize
8KB
-
memory/304-46-0x00000000057D0000-0x00000000057D2000-memory.dmpFilesize
8KB
-
memory/304-47-0x0000000005740000-0x0000000005742000-memory.dmpFilesize
8KB
-
memory/304-48-0x00000000056E0000-0x00000000056E2000-memory.dmpFilesize
8KB
-
memory/304-49-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/304-51-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/304-57-0x0000000000470000-0x0000000000480000-memory.dmpFilesize
64KB
-
memory/1440-1-0x0000000000000000-mapping.dmp
-
memory/2024-63-0x00000000000D0000-0x0000000000115000-memory.dmpFilesize
276KB
-
memory/2024-65-0x00000000000F1D29-mapping.dmp