Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:22
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.3.1.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_1.3.1.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_1.3.1.0.vir.exe
-
Size
193KB
-
MD5
b3a89f2ad0c7f93c5c372ff5fe2b4cbc
-
SHA1
60ad3147c56275e99c06576948f31a14bbf6dcc8
-
SHA256
4c850cfff31192c9f8439e0b9e4127d0b419c9909d2c85e7e99a5bb0115db3c9
-
SHA512
6d66089b63d3b1bc130d5186c970ee396ac08720c37bd87abc964c567028aa8a01854fa2564e1ebe249dd93055fc3ccaf99a7d3d55b0e77cd1e844ea939f1b60
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3864 3544 WerFault.exe citadel_1.3.1.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3864 WerFault.exe Token: SeBackupPrivilege 3864 WerFault.exe Token: SeDebugPrivilege 3864 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe 3864 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses