Overview

overview

8

Static

static

citadel_1....ir.exe

windows7_x64

8

citadel_1....ir.exe

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    citadel_1.3.3.1.vir.exe

  • Size

    199KB

  • MD5

    df96ba696553268ea03f8bfa555047a4

  • SHA1

    ea937edc811b75a2949eb609d95bc53b031e63ed

  • SHA256

    cf813a86d30ddd0c2ca59f73334fffd241bfd31eddfe30dc2e73d5b29ae752d1

  • SHA512

    3ee228da9dcb7907c939ecebf417247b5b65dce22e92b642796de66f5fc8b7bc84bf658ffae0dab70f5f1cdbbc20df54ce89248a2d70e4dac54862b9a5ed8df3

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Deletes itself 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1092
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1196
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1244
          • C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.1.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.1.vir.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Users\Admin\AppData\Roaming\Inihqe\uribu.exe
              "C:\Users\Admin\AppData\Roaming\Inihqe\uribu.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:1564
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp125894c2.bat"
              3⤵
              • Deletes itself
              PID:2004
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
          1⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of SendNotifyMessage
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          PID:828
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1180
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:524

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp125894c2.bat
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Gogi\uqyzh.lix
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Inihqe\uribu.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Inihqe\uribu.exe
              Download Submit
            • \Users\Admin\AppData\Roaming\Inihqe\uribu.exe
              Download Submit
            • \Users\Admin\AppData\Roaming\Inihqe\uribu.exe
              Download Submit
            • memory/828-5-0x00000000038F0000-0x00000000039F0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/828-7-0x00000000038F0000-0x0000000003AF0000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/828-9-0x00000000038F0000-0x00000000039F0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/828-10-0x00000000038F0000-0x0000000003AF0000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/828-11-0x00000000039F0000-0x0000000003AF0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/828-15-0x0000000002560000-0x0000000002562000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-16-0x0000000002550000-0x0000000002552000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-18-0x0000000003BF0000-0x0000000003BF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-19-0x0000000004010000-0x0000000004012000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-20-0x0000000003B30000-0x0000000003B32000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-21-0x0000000003C00000-0x0000000003C02000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-22-0x0000000003C20000-0x0000000003C22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-23-0x0000000003B30000-0x0000000003B32000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-24-0x0000000003B50000-0x0000000003B52000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-25-0x0000000003B30000-0x0000000003B32000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-26-0x0000000003B30000-0x0000000003B32000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-27-0x0000000003F60000-0x0000000003F62000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-28-0x0000000004000000-0x0000000004002000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-29-0x0000000003B50000-0x0000000003B52000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-30-0x00000000041C0000-0x00000000041C2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-31-0x00000000045E0000-0x00000000045E2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-32-0x00000000045F0000-0x00000000045F2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-33-0x0000000004600000-0x0000000004602000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-34-0x0000000004620000-0x0000000004622000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-35-0x0000000004640000-0x0000000004642000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-36-0x0000000004650000-0x0000000004652000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-37-0x0000000004660000-0x0000000004662000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-38-0x00000000045B0000-0x00000000045B2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-39-0x0000000004670000-0x0000000004672000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-40-0x00000000045A0000-0x00000000045A2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-41-0x0000000004680000-0x0000000004682000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-42-0x0000000004590000-0x0000000004592000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-43-0x0000000004580000-0x0000000004582000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-44-0x0000000004570000-0x0000000004572000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-45-0x0000000003E50000-0x0000000003E52000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-46-0x0000000003B60000-0x0000000003B62000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-47-0x0000000004DF0000-0x0000000004DF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-48-0x0000000004DE0000-0x0000000004DE2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-49-0x0000000004D50000-0x0000000004D52000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-50-0x0000000004D40000-0x0000000004D42000-memory.dmp
              Filesize

              8KB

              Download
            • memory/828-51-0x00000000038F0000-0x00000000039F0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/828-53-0x0000000002410000-0x0000000002420000-memory.dmp
              Filesize

              64KB

              Download
            • memory/828-59-0x00000000023B0000-0x00000000023C0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1564-2-0x0000000000000000-mapping.dmp
              Download
            • memory/2004-65-0x0000000000050000-0x0000000000086000-memory.dmp
              Filesize

              216KB

              Download
            • memory/2004-67-0x00000000000664E4-mapping.dmp
              Download