Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:22
General
-
Target
citadel_1.3.1.0.vir.exe
-
Size
193KB
-
MD5
b3a89f2ad0c7f93c5c372ff5fe2b4cbc
-
SHA1
60ad3147c56275e99c06576948f31a14bbf6dcc8
-
SHA256
4c850cfff31192c9f8439e0b9e4127d0b419c9909d2c85e7e99a5bb0115db3c9
-
SHA512
6d66089b63d3b1bc130d5186c970ee396ac08720c37bd87abc964c567028aa8a01854fa2564e1ebe249dd93055fc3ccaf99a7d3d55b0e77cd1e844ea939f1b60
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Deletes itself 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Giop\cucak.exe"C:\Users\Admin\AppData\Roaming\Giop\cucak.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3a2a09bf.bat"3⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
-
C:\Users\Admin\AppData\Local\Temp\tmp3a2a09bf.bat
-
C:\Users\Admin\AppData\Roaming\Giop\cucak.exe
-
C:\Users\Admin\AppData\Roaming\Giop\cucak.exe
-
\Users\Admin\AppData\Roaming\Giop\cucak.exe
-
\Users\Admin\AppData\Roaming\Giop\cucak.exe
-
memory/836-39-0x0000000004CA0000-0x0000000004CA2000-memory.dmpFilesize
8KB
-
memory/836-44-0x0000000003BE0000-0x0000000003BE2000-memory.dmpFilesize
8KB
-
memory/836-19-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/836-20-0x00000000041F0000-0x00000000041F2000-memory.dmpFilesize
8KB
-
memory/836-21-0x0000000003F20000-0x0000000003F22000-memory.dmpFilesize
8KB
-
memory/836-22-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/836-25-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/836-26-0x00000000041C0000-0x00000000041C2000-memory.dmpFilesize
8KB
-
memory/836-27-0x0000000003F00000-0x0000000003F02000-memory.dmpFilesize
8KB
-
memory/836-28-0x00000000041E0000-0x00000000041E2000-memory.dmpFilesize
8KB
-
memory/836-29-0x0000000003F30000-0x0000000003F32000-memory.dmpFilesize
8KB
-
memory/836-30-0x00000000042C0000-0x00000000042C2000-memory.dmpFilesize
8KB
-
memory/836-31-0x0000000004B00000-0x0000000004B02000-memory.dmpFilesize
8KB
-
memory/836-32-0x0000000004B90000-0x0000000004B92000-memory.dmpFilesize
8KB
-
memory/836-33-0x0000000004BA0000-0x0000000004BA2000-memory.dmpFilesize
8KB
-
memory/836-34-0x0000000004BC0000-0x0000000004BC2000-memory.dmpFilesize
8KB
-
memory/836-35-0x0000000004C60000-0x0000000004C62000-memory.dmpFilesize
8KB
-
memory/836-37-0x0000000004C80000-0x0000000004C82000-memory.dmpFilesize
8KB
-
memory/836-38-0x0000000004C90000-0x0000000004C92000-memory.dmpFilesize
8KB
-
memory/836-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/836-40-0x00000000056C0000-0x00000000056C2000-memory.dmpFilesize
8KB
-
memory/836-41-0x00000000056D0000-0x00000000056D2000-memory.dmpFilesize
8KB
-
memory/836-42-0x00000000056E0000-0x00000000056E2000-memory.dmpFilesize
8KB
-
memory/836-43-0x00000000056F0000-0x00000000056F2000-memory.dmpFilesize
8KB
-
memory/836-45-0x0000000003EF0000-0x0000000003EF2000-memory.dmpFilesize
8KB
-
memory/836-18-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/836-46-0x0000000004920000-0x0000000004922000-memory.dmpFilesize
8KB
-
memory/836-47-0x0000000004930000-0x0000000004932000-memory.dmpFilesize
8KB
-
memory/836-48-0x0000000004940000-0x0000000004942000-memory.dmpFilesize
8KB
-
memory/836-49-0x0000000004950000-0x0000000004952000-memory.dmpFilesize
8KB
-
memory/836-50-0x0000000004960000-0x0000000004962000-memory.dmpFilesize
8KB
-
memory/836-51-0x00000000038A0000-0x0000000003AA0000-memory.dmpFilesize
2.0MB
-
memory/836-52-0x00000000039A0000-0x0000000003AA0000-memory.dmpFilesize
1024KB
-
memory/836-53-0x0000000002160000-0x0000000002170000-memory.dmpFilesize
64KB
-
memory/836-59-0x0000000001F60000-0x0000000001F70000-memory.dmpFilesize
64KB
-
memory/836-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/836-15-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/836-11-0x00000000039A0000-0x0000000003AA0000-memory.dmpFilesize
1024KB
-
memory/836-5-0x00000000038A0000-0x00000000039A0000-memory.dmpFilesize
1024KB
-
memory/836-7-0x00000000038A0000-0x0000000003AA0000-memory.dmpFilesize
2.0MB
-
memory/836-9-0x00000000038A0000-0x00000000039A0000-memory.dmpFilesize
1024KB
-
memory/836-10-0x00000000038A0000-0x0000000003AA0000-memory.dmpFilesize
2.0MB
-
memory/1468-2-0x0000000000000000-mapping.dmp
-
memory/1792-74-0x00000000039F0000-0x0000000003AF0000-memory.dmpFilesize
1024KB
-
memory/1792-73-0x00000000038F0000-0x0000000003AF0000-memory.dmpFilesize
2.0MB
-
memory/1792-72-0x00000000038F0000-0x00000000039F0000-memory.dmpFilesize
1024KB
-
memory/1792-84-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/1792-85-0x00000000038F0000-0x00000000039F0000-memory.dmpFilesize
1024KB
-
memory/1880-23-0x0000000000050000-0x0000000000083000-memory.dmpFilesize
204KB
-
memory/1880-24-0x000000000005D161-mapping.dmp