Analysis
-
max time kernel
151s -
max time network
82s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 16:35
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.2.4.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_1.2.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_1.2.4.0.vir.exe
-
Size
630KB
-
MD5
f5b434f9ad53bac3bd1af814bbe73fc5
-
SHA1
12a5100c1217b847c2177c3dc47efc233b188a2f
-
SHA256
54d67f153de6ba73daf1b037057cf5c0550cfb6c0aee53c5d5119a9a3647b300
-
SHA512
ac64540501f8555cce3e2eb3f85b8c23ddf57d413d5b3d7c14274d46e2499c7667c14cfadeb36f803f05dadf1b33fd2049d5a29bb90fd12f9a6eaed988f91442
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fuwy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A63DE2C1-8E64-250B-8BE9-1048FBA6C158} = "C:\\Users\\Admin\\AppData\\Roaming\\Izavex\\fuwy.exe" fuwy.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run fuwy.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
citadel_1.2.4.0.vir.exefuwy.exepid process 1400 citadel_1.2.4.0.vir.exe 1420 fuwy.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
citadel_1.2.4.0.vir.exefuwy.exedescription pid process target process PID 1400 wrote to memory of 1420 1400 citadel_1.2.4.0.vir.exe fuwy.exe PID 1400 wrote to memory of 1420 1400 citadel_1.2.4.0.vir.exe fuwy.exe PID 1400 wrote to memory of 1420 1400 citadel_1.2.4.0.vir.exe fuwy.exe PID 1400 wrote to memory of 1420 1400 citadel_1.2.4.0.vir.exe fuwy.exe PID 1420 wrote to memory of 1132 1420 fuwy.exe taskhost.exe PID 1420 wrote to memory of 1132 1420 fuwy.exe taskhost.exe PID 1420 wrote to memory of 1132 1420 fuwy.exe taskhost.exe PID 1420 wrote to memory of 1132 1420 fuwy.exe taskhost.exe PID 1420 wrote to memory of 1132 1420 fuwy.exe taskhost.exe PID 1420 wrote to memory of 1220 1420 fuwy.exe Dwm.exe PID 1420 wrote to memory of 1220 1420 fuwy.exe Dwm.exe PID 1420 wrote to memory of 1220 1420 fuwy.exe Dwm.exe PID 1420 wrote to memory of 1220 1420 fuwy.exe Dwm.exe PID 1420 wrote to memory of 1220 1420 fuwy.exe Dwm.exe PID 1420 wrote to memory of 1284 1420 fuwy.exe Explorer.EXE PID 1420 wrote to memory of 1284 1420 fuwy.exe Explorer.EXE PID 1420 wrote to memory of 1284 1420 fuwy.exe Explorer.EXE PID 1420 wrote to memory of 1284 1420 fuwy.exe Explorer.EXE PID 1420 wrote to memory of 1284 1420 fuwy.exe Explorer.EXE PID 1420 wrote to memory of 1400 1420 fuwy.exe citadel_1.2.4.0.vir.exe PID 1420 wrote to memory of 1400 1420 fuwy.exe citadel_1.2.4.0.vir.exe PID 1420 wrote to memory of 1400 1420 fuwy.exe citadel_1.2.4.0.vir.exe PID 1420 wrote to memory of 1400 1420 fuwy.exe citadel_1.2.4.0.vir.exe PID 1420 wrote to memory of 1400 1420 fuwy.exe citadel_1.2.4.0.vir.exe PID 1420 wrote to memory of 1588 1420 fuwy.exe WinMail.exe PID 1420 wrote to memory of 1588 1420 fuwy.exe WinMail.exe PID 1420 wrote to memory of 1588 1420 fuwy.exe WinMail.exe PID 1420 wrote to memory of 1588 1420 fuwy.exe WinMail.exe PID 1420 wrote to memory of 1588 1420 fuwy.exe WinMail.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1400 wrote to memory of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe PID 1420 wrote to memory of 1292 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1292 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1292 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1292 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1292 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1872 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1872 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1872 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1872 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1872 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1464 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1464 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1464 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1464 1420 fuwy.exe DllHost.exe PID 1420 wrote to memory of 1464 1420 fuwy.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
fuwy.exepid process 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe 1420 fuwy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_1.2.4.0.vir.exedescription pid process target process PID 1400 set thread context of 368 1400 citadel_1.2.4.0.vir.exe cmd.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\30DD2588-00000001.eml:OECustomProperty WinMail.exe -
Processes:
citadel_1.2.4.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy citadel_1.2.4.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_1.2.4.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
citadel_1.2.4.0.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1400 citadel_1.2.4.0.vir.exe Token: SeSecurityPrivilege 1400 citadel_1.2.4.0.vir.exe Token: SeSecurityPrivilege 1400 citadel_1.2.4.0.vir.exe Token: SeManageVolumePrivilege 1588 WinMail.exe Token: SeSecurityPrivilege 368 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
citadel_1.2.4.0.vir.exepid process 1400 citadel_1.2.4.0.vir.exe 1400 citadel_1.2.4.0.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
fuwy.exepid process 1420 fuwy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1588 WinMail.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 368 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.2.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.2.4.0.vir.exe"2⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Izavex\fuwy.exe"C:\Users\Admin\AppData\Roaming\Izavex\fuwy.exe"3⤵
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp509ffe44.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp509ffe44.bat
-
C:\Users\Admin\AppData\Roaming\Izavex\fuwy.exe
-
C:\Users\Admin\AppData\Roaming\Izavex\fuwy.exe
-
C:\Users\Admin\AppData\Roaming\Usede\yrfyt.ber
-
\Users\Admin\AppData\Roaming\Izavex\fuwy.exe
-
\Users\Admin\AppData\Roaming\Izavex\fuwy.exe
-
memory/368-28-0x00000000000CFF53-mapping.dmp
-
memory/368-26-0x0000000000050000-0x00000000000E7000-memory.dmpFilesize
604KB
-
memory/1420-2-0x0000000000000000-mapping.dmp
-
memory/1588-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1588-21-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/1588-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1588-11-0x00000000039D0000-0x0000000003AD0000-memory.dmpFilesize
1024KB
-
memory/1588-18-0x0000000003F00000-0x0000000003F02000-memory.dmpFilesize
8KB
-
memory/1588-19-0x0000000003E40000-0x0000000003E42000-memory.dmpFilesize
8KB
-
memory/1588-20-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1588-15-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1588-22-0x0000000003D70000-0x0000000003D72000-memory.dmpFilesize
8KB
-
memory/1588-23-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1588-24-0x0000000003E40000-0x0000000003E42000-memory.dmpFilesize
8KB
-
memory/1588-25-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1588-10-0x00000000038D0000-0x0000000003AD0000-memory.dmpFilesize
2.0MB
-
memory/1588-9-0x00000000038D0000-0x00000000039D0000-memory.dmpFilesize
1024KB
-
memory/1588-7-0x00000000038D0000-0x0000000003AD0000-memory.dmpFilesize
2.0MB
-
memory/1588-5-0x00000000038D0000-0x00000000039D0000-memory.dmpFilesize
1024KB