Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:37
General
-
Target
citadel_1.3.3.3.vir.exe
-
Size
202KB
-
MD5
50854eb699adde84c0106ac46d7859e5
-
SHA1
24e47df1ca6df385e6ee7e47ae3ba3efee8713f5
-
SHA256
deb51e50b4628567f8690316317083aa337b10d9a23cbbf5d8a21b6d6e8e194f
-
SHA512
7594ce07af47ca63f8764b15fc1e4f7872bcd3a3f50ff02ed0d2db078f24040c3cb76763117b174f711db859b442898460382a28096b783d96de7ba188c108c9
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 73 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Deletes itself 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
NTFS ADS 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.3.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe"C:\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd4eeafce.bat"3⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpd4eeafce.bat
-
C:\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe
-
C:\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe
-
C:\Users\Admin\AppData\Roaming\Esegv\uswo.teg
-
\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe
-
\Users\Admin\AppData\Roaming\Ebebe\lupiz.exe
-
memory/240-5-0x00000000038E0000-0x00000000039E0000-memory.dmpFilesize
1024KB
-
memory/240-7-0x00000000038E0000-0x0000000003AE0000-memory.dmpFilesize
2.0MB
-
memory/240-9-0x00000000038E0000-0x00000000039E0000-memory.dmpFilesize
1024KB
-
memory/240-10-0x00000000038E0000-0x0000000003AE0000-memory.dmpFilesize
2.0MB
-
memory/240-11-0x00000000039E0000-0x0000000003AE0000-memory.dmpFilesize
1024KB
-
memory/240-15-0x00000000025D0000-0x00000000025D2000-memory.dmpFilesize
8KB
-
memory/240-16-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/240-17-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/240-18-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/240-19-0x0000000003EC0000-0x0000000003EC2000-memory.dmpFilesize
8KB
-
memory/240-20-0x0000000003D20000-0x0000000003D22000-memory.dmpFilesize
8KB
-
memory/240-21-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/240-22-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/240-23-0x0000000003D20000-0x0000000003D22000-memory.dmpFilesize
8KB
-
memory/240-24-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/240-25-0x0000000003D20000-0x0000000003D22000-memory.dmpFilesize
8KB
-
memory/240-26-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/240-27-0x0000000003EC0000-0x0000000003EC2000-memory.dmpFilesize
8KB
-
memory/240-28-0x0000000003CE0000-0x0000000003CE2000-memory.dmpFilesize
8KB
-
memory/240-29-0x0000000004490000-0x0000000004492000-memory.dmpFilesize
8KB
-
memory/240-30-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/240-31-0x00000000044B0000-0x00000000044B2000-memory.dmpFilesize
8KB
-
memory/240-32-0x00000000044D0000-0x00000000044D2000-memory.dmpFilesize
8KB
-
memory/240-33-0x00000000044F0000-0x00000000044F2000-memory.dmpFilesize
8KB
-
memory/240-34-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/240-35-0x00000000045A0000-0x00000000045A2000-memory.dmpFilesize
8KB
-
memory/240-36-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/240-37-0x0000000004640000-0x0000000004642000-memory.dmpFilesize
8KB
-
memory/240-38-0x00000000047B0000-0x00000000047B2000-memory.dmpFilesize
8KB
-
memory/240-39-0x00000000047C0000-0x00000000047C2000-memory.dmpFilesize
8KB
-
memory/240-40-0x00000000047D0000-0x00000000047D2000-memory.dmpFilesize
8KB
-
memory/240-41-0x00000000048E0000-0x00000000048E2000-memory.dmpFilesize
8KB
-
memory/240-42-0x0000000003B70000-0x0000000003B72000-memory.dmpFilesize
8KB
-
memory/240-43-0x0000000004070000-0x0000000004072000-memory.dmpFilesize
8KB
-
memory/240-44-0x0000000004060000-0x0000000004062000-memory.dmpFilesize
8KB
-
memory/240-45-0x0000000004050000-0x0000000004052000-memory.dmpFilesize
8KB
-
memory/240-46-0x0000000004040000-0x0000000004042000-memory.dmpFilesize
8KB
-
memory/240-47-0x0000000004030000-0x0000000004032000-memory.dmpFilesize
8KB
-
memory/240-48-0x0000000003BB0000-0x0000000003BB2000-memory.dmpFilesize
8KB
-
memory/240-49-0x00000000038E0000-0x00000000039E0000-memory.dmpFilesize
1024KB
-
memory/240-51-0x0000000001EB0000-0x0000000001EC0000-memory.dmpFilesize
64KB
-
memory/240-57-0x0000000000450000-0x0000000000460000-memory.dmpFilesize
64KB
-
memory/1104-2-0x0000000000000000-mapping.dmp
-
memory/1896-63-0x0000000000050000-0x0000000000086000-memory.dmpFilesize
216KB
-
memory/1896-65-0x00000000000610BD-mapping.dmp