Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    19-07-2020 19:48

General

  • Target

    citadel_3.1.0.0.vir.exe

  • Size

    307KB

  • MD5

    3d3ef329a4d920735fbc6c56d2a15691

  • SHA1

    74c7c9c8470ea55c04ee3c7fe168793ee32d4686

  • SHA256

    1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235

  • SHA512

    0e2d88ef2f8f8d1a65f63473e89c345cb73630efa5c717e7a8f721ae8703077d651ee66ee4756c4a4d6e6e1a007c6246b007c20689be195763353bcb7654c9ed

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 116 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of WriteProcessMemory 71 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2692
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2708
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2836
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:2988
            • C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe
              "C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • Modifies Internet Explorer settings
              PID:2460
              • C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe
                "C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe"
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Adds Run key to start application
                • Identifies Wine through registry keys
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3876
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp757f529d.bat"
                3⤵
                  PID:3456
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    4⤵
                      PID:2540
              • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                1⤵
                  PID:3140
                • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                  1⤵
                    PID:3156
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:3356
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3652
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
                        1⤵
                          PID:3692
                        • C:\Program Files\Windows Mail\WinMail.exe
                          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
                          1⤵
                            PID:3928
                          • C:\Windows\System32\slui.exe
                            C:\Windows\System32\slui.exe -Embedding
                            1⤵
                              PID:1668

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Persistence

                            Registry Run Keys / Startup Folder

                            1
                            T1060

                            Defense Evasion

                            Modify Registry

                            2
                            T1112

                            Virtualization/Sandbox Evasion

                            1
                            T1497

                            Credential Access

                            Credentials in Files

                            1
                            T1081

                            Discovery

                            Query Registry

                            1
                            T1012

                            Virtualization/Sandbox Evasion

                            1
                            T1497

                            Collection

                            Data from Local System

                            1
                            T1005

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Roaming\Iqulez\wodya.ifi
                            • C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe
                            • C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe
                            • memory/3456-4-0x0000000002FA0000-0x0000000002FE5000-memory.dmp
                              Filesize

                              276KB

                            • memory/3456-5-0x0000000002FC1D29-mapping.dmp
                            • memory/3876-0-0x0000000000000000-mapping.dmp