Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:48
Static task
static1
Behavioral task
behavioral1
Sample
citadel_3.1.0.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
citadel_3.1.0.0.vir.exe
Resource
win10
General
-
Target
citadel_3.1.0.0.vir.exe
-
Size
307KB
-
MD5
3d3ef329a4d920735fbc6c56d2a15691
-
SHA1
74c7c9c8470ea55c04ee3c7fe168793ee32d4686
-
SHA256
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
-
SHA512
0e2d88ef2f8f8d1a65f63473e89c345cb73630efa5c717e7a8f721ae8703077d651ee66ee4756c4a4d6e6e1a007c6246b007c20689be195763353bcb7654c9ed
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 116 IoCs
Processes:
nyve.exepid process 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe 3876 nyve.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_3.1.0.0.vir.exedescription pid process target process PID 2460 set thread context of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nyve.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run nyve.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qazemu = "C:\\Users\\Admin\\AppData\\Roaming\\Luedo\\nyve.exe" nyve.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
nyve.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\WINE nyve.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE nyve.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
citadel_3.1.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 2460 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 2460 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 2460 citadel_3.1.0.0.vir.exe Token: SeSecurityPrivilege 2460 citadel_3.1.0.0.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
nyve.exepid process 3876 nyve.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 71 IoCs
Processes:
citadel_3.1.0.0.vir.exenyve.exedescription pid process target process PID 2460 wrote to memory of 3876 2460 citadel_3.1.0.0.vir.exe nyve.exe PID 2460 wrote to memory of 3876 2460 citadel_3.1.0.0.vir.exe nyve.exe PID 2460 wrote to memory of 3876 2460 citadel_3.1.0.0.vir.exe nyve.exe PID 3876 wrote to memory of 2692 3876 nyve.exe sihost.exe PID 3876 wrote to memory of 2692 3876 nyve.exe sihost.exe PID 3876 wrote to memory of 2692 3876 nyve.exe sihost.exe PID 3876 wrote to memory of 2692 3876 nyve.exe sihost.exe PID 3876 wrote to memory of 2692 3876 nyve.exe sihost.exe PID 3876 wrote to memory of 2708 3876 nyve.exe svchost.exe PID 3876 wrote to memory of 2708 3876 nyve.exe svchost.exe PID 3876 wrote to memory of 2708 3876 nyve.exe svchost.exe PID 3876 wrote to memory of 2708 3876 nyve.exe svchost.exe PID 3876 wrote to memory of 2708 3876 nyve.exe svchost.exe PID 3876 wrote to memory of 2836 3876 nyve.exe taskhostw.exe PID 3876 wrote to memory of 2836 3876 nyve.exe taskhostw.exe PID 3876 wrote to memory of 2836 3876 nyve.exe taskhostw.exe PID 3876 wrote to memory of 2836 3876 nyve.exe taskhostw.exe PID 3876 wrote to memory of 2836 3876 nyve.exe taskhostw.exe PID 3876 wrote to memory of 2988 3876 nyve.exe Explorer.EXE PID 3876 wrote to memory of 2988 3876 nyve.exe Explorer.EXE PID 3876 wrote to memory of 2988 3876 nyve.exe Explorer.EXE PID 3876 wrote to memory of 2988 3876 nyve.exe Explorer.EXE PID 3876 wrote to memory of 2988 3876 nyve.exe Explorer.EXE PID 3876 wrote to memory of 3140 3876 nyve.exe ShellExperienceHost.exe PID 3876 wrote to memory of 3140 3876 nyve.exe ShellExperienceHost.exe PID 3876 wrote to memory of 3140 3876 nyve.exe ShellExperienceHost.exe PID 3876 wrote to memory of 3140 3876 nyve.exe ShellExperienceHost.exe PID 3876 wrote to memory of 3140 3876 nyve.exe ShellExperienceHost.exe PID 3876 wrote to memory of 3156 3876 nyve.exe SearchUI.exe PID 3876 wrote to memory of 3156 3876 nyve.exe SearchUI.exe PID 3876 wrote to memory of 3156 3876 nyve.exe SearchUI.exe PID 3876 wrote to memory of 3156 3876 nyve.exe SearchUI.exe PID 3876 wrote to memory of 3156 3876 nyve.exe SearchUI.exe PID 3876 wrote to memory of 3356 3876 nyve.exe RuntimeBroker.exe PID 3876 wrote to memory of 3356 3876 nyve.exe RuntimeBroker.exe PID 3876 wrote to memory of 3356 3876 nyve.exe RuntimeBroker.exe PID 3876 wrote to memory of 3356 3876 nyve.exe RuntimeBroker.exe PID 3876 wrote to memory of 3356 3876 nyve.exe RuntimeBroker.exe PID 3876 wrote to memory of 3652 3876 nyve.exe DllHost.exe PID 3876 wrote to memory of 3652 3876 nyve.exe DllHost.exe PID 3876 wrote to memory of 3652 3876 nyve.exe DllHost.exe PID 3876 wrote to memory of 3652 3876 nyve.exe DllHost.exe PID 3876 wrote to memory of 3652 3876 nyve.exe DllHost.exe PID 3876 wrote to memory of 3692 3876 nyve.exe backgroundTaskHost.exe PID 3876 wrote to memory of 3692 3876 nyve.exe backgroundTaskHost.exe PID 3876 wrote to memory of 3692 3876 nyve.exe backgroundTaskHost.exe PID 3876 wrote to memory of 3692 3876 nyve.exe backgroundTaskHost.exe PID 3876 wrote to memory of 3692 3876 nyve.exe backgroundTaskHost.exe PID 3876 wrote to memory of 2460 3876 nyve.exe citadel_3.1.0.0.vir.exe PID 3876 wrote to memory of 2460 3876 nyve.exe citadel_3.1.0.0.vir.exe PID 3876 wrote to memory of 2460 3876 nyve.exe citadel_3.1.0.0.vir.exe PID 3876 wrote to memory of 2460 3876 nyve.exe citadel_3.1.0.0.vir.exe PID 3876 wrote to memory of 2460 3876 nyve.exe citadel_3.1.0.0.vir.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 2460 wrote to memory of 3456 2460 citadel_3.1.0.0.vir.exe cmd.exe PID 3876 wrote to memory of 2540 3876 nyve.exe Conhost.exe PID 3876 wrote to memory of 2540 3876 nyve.exe Conhost.exe PID 3876 wrote to memory of 2540 3876 nyve.exe Conhost.exe -
Processes:
citadel_3.1.0.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy citadel_3.1.0.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_3.1.0.0.vir.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_3.1.0.0.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe"C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Identifies Wine through registry keys
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp757f529d.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Iqulez\wodya.ifi
-
C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe
-
C:\Users\Admin\AppData\Roaming\Luedo\nyve.exe
-
memory/3456-4-0x0000000002FA0000-0x0000000002FE5000-memory.dmpFilesize
276KB
-
memory/3456-5-0x0000000002FC1D29-mapping.dmp
-
memory/3876-0-0x0000000000000000-mapping.dmp