4c850cfff31192c9f8439e0b9e4127d0b419c9909d2c85e7e99a5bb0115db3c9 | Triage

Analysis

max time kernel
126s
max time network
131s
platform
windows10_x64
resource
win10
submitted
19-07-2020 19:22

Sharing

Report Analysis Logs

General

Target

citadel_1.3.1.0.vir.exe
Size

193KB
MD5

b3a89f2ad0c7f93c5c372ff5fe2b4cbc
SHA1

60ad3147c56275e99c06576948f31a14bbf6dcc8
SHA256

4c850cfff31192c9f8439e0b9e4127d0b419c9909d2c85e7e99a5bb0115db3c9
SHA512

6d66089b63d3b1bc130d5186c970ee396ac08720c37bd87abc964c567028aa8a01854fa2564e1ebe249dd93055fc3ccaf99a7d3d55b0e77cd1e844ea939f1b60

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3864 3544 WerFault.exe citadel_1.3.1.0.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3864 WerFault.exe
Token: SeBackupPrivilege 3864 WerFault.exe
Token: SeDebugPrivilege 3864 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_1.3.1.0.vir.exe"
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 296
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-0-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3864-1-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download