ba17f2ed642b9376a974263ac207dc55385c8d09119c89c5b1afb3b20215705a

General

Target

citadel_1.1.5.1.vir.exe
Size

219KB
MD5

6842dfc607a5d22511b0b37025092976
SHA1

1f90a17cd0e8c5b33d37c4f1d52e6fb490bbb888
SHA256

ba17f2ed642b9376a974263ac207dc55385c8d09119c89c5b1afb3b20215705a
SHA512

af7c5ba3c4128fb07f7d4ebce38e1f3a38cfc8a517ab32a0b4488cc63df366011129fdcc9610d110c9d5b8473534e201122af7b02d813d499d089fd3731d8633

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

citadel_1.1.5.1.vir.exemowo.exe

description	pid	process	target process
PID 1400 wrote to memory of 1420	1400	citadel_1.1.5.1.vir.exe	mowo.exe
PID 1400 wrote to memory of 1420	1400	citadel_1.1.5.1.vir.exe	mowo.exe
PID 1400 wrote to memory of 1420	1400	citadel_1.1.5.1.vir.exe	mowo.exe
PID 1400 wrote to memory of 1420	1400	citadel_1.1.5.1.vir.exe	mowo.exe
PID 1420 wrote to memory of 1132	1420	mowo.exe	taskhost.exe
PID 1420 wrote to memory of 1132	1420	mowo.exe	taskhost.exe
PID 1420 wrote to memory of 1132	1420	mowo.exe	taskhost.exe
PID 1420 wrote to memory of 1132	1420	mowo.exe	taskhost.exe
PID 1420 wrote to memory of 1132	1420	mowo.exe	taskhost.exe
PID 1420 wrote to memory of 1220	1420	mowo.exe	Dwm.exe
PID 1420 wrote to memory of 1220	1420	mowo.exe	Dwm.exe
PID 1420 wrote to memory of 1220	1420	mowo.exe	Dwm.exe
PID 1420 wrote to memory of 1220	1420	mowo.exe	Dwm.exe
PID 1420 wrote to memory of 1220	1420	mowo.exe	Dwm.exe
PID 1420 wrote to memory of 1284	1420	mowo.exe	Explorer.EXE
PID 1420 wrote to memory of 1284	1420	mowo.exe	Explorer.EXE
PID 1420 wrote to memory of 1284	1420	mowo.exe	Explorer.EXE
PID 1420 wrote to memory of 1284	1420	mowo.exe	Explorer.EXE
PID 1420 wrote to memory of 1284	1420	mowo.exe	Explorer.EXE
PID 1420 wrote to memory of 1400	1420	mowo.exe	citadel_1.1.5.1.vir.exe
PID 1420 wrote to memory of 1400	1420	mowo.exe	citadel_1.1.5.1.vir.exe
PID 1420 wrote to memory of 1400	1420	mowo.exe	citadel_1.1.5.1.vir.exe
PID 1420 wrote to memory of 1400	1420	mowo.exe	citadel_1.1.5.1.vir.exe
PID 1420 wrote to memory of 1400	1420	mowo.exe	citadel_1.1.5.1.vir.exe
PID 1420 wrote to memory of 552	1420	mowo.exe	WinMail.exe
PID 1420 wrote to memory of 552	1420	mowo.exe	WinMail.exe
PID 1420 wrote to memory of 552	1420	mowo.exe	WinMail.exe
PID 1420 wrote to memory of 552	1420	mowo.exe	WinMail.exe
PID 1420 wrote to memory of 552	1420	mowo.exe	WinMail.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1400 wrote to memory of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe
PID 1420 wrote to memory of 1576	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1576	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1576	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1576	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1576	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1880	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1880	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1880	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1880	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 1880	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 2024	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 2024	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 2024	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 2024	1420	mowo.exe	DllHost.exe
PID 1420 wrote to memory of 2024	1420	mowo.exe	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
1736 WinMail.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
1736 WinMail.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe

pid	process
552	WinMail.exe
1736	WinMail.exe

pid	process
552	WinMail.exe
1736	WinMail.exe

pid	process
760	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

citadel_1.1.5.1.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	citadel_1.1.5.1.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	citadel_1.1.5.1.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mowo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	mowo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6DA8F39A-60E0-C6CE-2B08-891918FBFAF2} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzuf\\mowo.exe"	mowo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

citadel_1.1.5.1.vir.exeWinMail.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1400	citadel_1.1.5.1.vir.exe
Token: SeSecurityPrivilege	1400	citadel_1.1.5.1.vir.exe
Token: SeSecurityPrivilege	1400	citadel_1.1.5.1.vir.exe
Token: SeManageVolumePrivilege	552	WinMail.exe
Token: SeSecurityPrivilege	760	cmd.exe
Token: SeManageVolumePrivilege	1736	WinMail.exe

Executes dropped EXE 1 IoCs

Processes:

mowo.exe

pid process

1420 mowo.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

mowo.exe

pid	process
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe
1420	mowo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

citadel_1.1.5.1.vir.exe

description pid process target process

PID 1400 set thread context of 760 1400 citadel_1.1.5.1.vir.exe cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
1736 WinMail.exe

description	pid	process	target process
PID 1400 set thread context of 760	1400	citadel_1.1.5.1.vir.exe	cmd.exe

pid	process
552	WinMail.exe
1736	WinMail.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5E5C7467-00000001.eml:OECustomProperty	WinMail.exe

Loads dropped DLL 2 IoCs

Processes:

citadel_1.1.5.1.vir.exe

pid process

1400 citadel_1.1.5.1.vir.exe
1400 citadel_1.1.5.1.vir.exe

pid	process
1400	citadel_1.1.5.1.vir.exe
1400	citadel_1.1.5.1.vir.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\citadel_1.1.5.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_1.1.5.1.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Loads dropped DLL
PID:1400

C:\Users\Admin\AppData\Roaming\Uzuf\mowo.exe
"C:\Users\Admin\AppData\Roaming\Uzuf\mowo.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb1388860.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- NTFS ADS
PID:552

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpb1388860.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ahwi\nuysx.qyk

Download Submit
C:\Users\Admin\AppData\Roaming\Uzuf\mowo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Uzuf\mowo.exe

Download Submit
\Users\Admin\AppData\Roaming\Uzuf\mowo.exe

Download Submit
\Users\Admin\AppData\Roaming\Uzuf\mowo.exe

Download Submit
memory/552-39-0x0000000004A30000-0x0000000004A32000-memory.dmp

Filesize
8KB

Download
memory/552-46-0x0000000003C20000-0x0000000003C22000-memory.dmp

Filesize
8KB

Download
memory/552-19-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-20-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/552-21-0x0000000003CF0000-0x0000000003CF2000-memory.dmp

Filesize
8KB

Download
memory/552-22-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-23-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-24-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/552-28-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-29-0x0000000003D00000-0x0000000003D02000-memory.dmp

Filesize
8KB

Download
memory/552-30-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/552-31-0x0000000003EB0000-0x0000000003EB2000-memory.dmp

Filesize
8KB

Download
memory/552-32-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/552-33-0x00000000043A0000-0x00000000043A2000-memory.dmp

Filesize
8KB

Download
memory/552-34-0x00000000043B0000-0x00000000043B2000-memory.dmp

Filesize
8KB

Download
memory/552-36-0x0000000004470000-0x0000000004472000-memory.dmp

Filesize
8KB

Download
memory/552-37-0x0000000004590000-0x0000000004592000-memory.dmp

Filesize
8KB

Download
memory/552-38-0x00000000045A0000-0x00000000045A2000-memory.dmp

Filesize
8KB

Download
memory/552-17-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/552-40-0x0000000004A40000-0x0000000004A42000-memory.dmp

Filesize
8KB

Download
memory/552-41-0x0000000004AB0000-0x0000000004AB2000-memory.dmp

Filesize
8KB

Download
memory/552-42-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

Filesize
8KB

Download
memory/552-43-0x0000000004AD0000-0x0000000004AD2000-memory.dmp

Filesize
8KB

Download
memory/552-44-0x0000000004AE0000-0x0000000004AE2000-memory.dmp

Filesize
8KB

Download
memory/552-45-0x0000000003B60000-0x0000000003B62000-memory.dmp

Filesize
8KB

Download
memory/552-18-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

Filesize
8KB

Download
memory/552-47-0x0000000004490000-0x0000000004492000-memory.dmp

Filesize
8KB

Download
memory/552-48-0x00000000044A0000-0x00000000044A2000-memory.dmp

Filesize
8KB

Download
memory/552-49-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/552-50-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/552-51-0x00000000044D0000-0x00000000044D2000-memory.dmp

Filesize
8KB

Download
memory/552-52-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/552-54-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/552-60-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/552-16-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/552-15-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-11-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/552-5-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/552-7-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/552-9-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/552-10-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/760-27-0x000000000005B018-mapping.dmp

Download
memory/760-26-0x0000000000050000-0x000000000007F000-memory.dmp

Filesize
188KB

Download
memory/1420-2-0x0000000000000000-mapping.dmp

Download
memory/1736-74-0x0000000003830000-0x0000000003A30000-memory.dmp

Filesize
2.0MB

Download
memory/1736-75-0x0000000003930000-0x0000000003A30000-memory.dmp

Filesize
1024KB

Download
memory/1736-73-0x0000000003830000-0x0000000003930000-memory.dmp

Filesize
1024KB

Download
memory/1736-85-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/1736-86-0x0000000003830000-0x0000000003A30000-memory.dmp

Filesize
2.0MB

Download
memory/1736-87-0x0000000003930000-0x0000000003A30000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads