371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e

General

Target

citadel_1.2.0.0b.vir.exe
Size

213KB
MD5

b7f755dc5616bbf10f6d11a276c88c98
SHA1

6a31f670e6b91d246ff88d073d6c0b0cde9e9300
SHA256

371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
SHA512

a569a9049e1c5a3cd5278400a4a8d53c6b728c685aca6401896c94ddf5efd7226660feaeb3a65e30d8b652fdf7da93053b577cc08fc8b480bb4527c6efa4cc89

Score

8^/10

discovery persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

citadel_1.2.0.0b.vir.exeypno.exe

description	pid	process	target process
PID 724 wrote to memory of 1272	724	citadel_1.2.0.0b.vir.exe	ypno.exe
PID 724 wrote to memory of 1272	724	citadel_1.2.0.0b.vir.exe	ypno.exe
PID 724 wrote to memory of 1272	724	citadel_1.2.0.0b.vir.exe	ypno.exe
PID 1272 wrote to memory of 2736	1272	ypno.exe	sihost.exe
PID 1272 wrote to memory of 2736	1272	ypno.exe	sihost.exe
PID 1272 wrote to memory of 2736	1272	ypno.exe	sihost.exe
PID 1272 wrote to memory of 2736	1272	ypno.exe	sihost.exe
PID 1272 wrote to memory of 2736	1272	ypno.exe	sihost.exe
PID 1272 wrote to memory of 2752	1272	ypno.exe	svchost.exe
PID 1272 wrote to memory of 2752	1272	ypno.exe	svchost.exe
PID 1272 wrote to memory of 2752	1272	ypno.exe	svchost.exe
PID 1272 wrote to memory of 2752	1272	ypno.exe	svchost.exe
PID 1272 wrote to memory of 2752	1272	ypno.exe	svchost.exe
PID 1272 wrote to memory of 2876	1272	ypno.exe	taskhostw.exe
PID 1272 wrote to memory of 2876	1272	ypno.exe	taskhostw.exe
PID 1272 wrote to memory of 2876	1272	ypno.exe	taskhostw.exe
PID 1272 wrote to memory of 2876	1272	ypno.exe	taskhostw.exe
PID 1272 wrote to memory of 2876	1272	ypno.exe	taskhostw.exe
PID 1272 wrote to memory of 2984	1272	ypno.exe	Explorer.EXE
PID 1272 wrote to memory of 2984	1272	ypno.exe	Explorer.EXE
PID 1272 wrote to memory of 2984	1272	ypno.exe	Explorer.EXE
PID 1272 wrote to memory of 2984	1272	ypno.exe	Explorer.EXE
PID 1272 wrote to memory of 2984	1272	ypno.exe	Explorer.EXE
PID 1272 wrote to memory of 3152	1272	ypno.exe	ShellExperienceHost.exe
PID 1272 wrote to memory of 3152	1272	ypno.exe	ShellExperienceHost.exe
PID 1272 wrote to memory of 3152	1272	ypno.exe	ShellExperienceHost.exe
PID 1272 wrote to memory of 3152	1272	ypno.exe	ShellExperienceHost.exe
PID 1272 wrote to memory of 3152	1272	ypno.exe	ShellExperienceHost.exe
PID 1272 wrote to memory of 3164	1272	ypno.exe	SearchUI.exe
PID 1272 wrote to memory of 3164	1272	ypno.exe	SearchUI.exe
PID 1272 wrote to memory of 3164	1272	ypno.exe	SearchUI.exe
PID 1272 wrote to memory of 3164	1272	ypno.exe	SearchUI.exe
PID 1272 wrote to memory of 3164	1272	ypno.exe	SearchUI.exe
PID 1272 wrote to memory of 3472	1272	ypno.exe	RuntimeBroker.exe
PID 1272 wrote to memory of 3472	1272	ypno.exe	RuntimeBroker.exe
PID 1272 wrote to memory of 3472	1272	ypno.exe	RuntimeBroker.exe
PID 1272 wrote to memory of 3472	1272	ypno.exe	RuntimeBroker.exe
PID 1272 wrote to memory of 3472	1272	ypno.exe	RuntimeBroker.exe
PID 1272 wrote to memory of 3700	1272	ypno.exe	DllHost.exe
PID 1272 wrote to memory of 3700	1272	ypno.exe	DllHost.exe
PID 1272 wrote to memory of 3700	1272	ypno.exe	DllHost.exe
PID 1272 wrote to memory of 3700	1272	ypno.exe	DllHost.exe
PID 1272 wrote to memory of 3700	1272	ypno.exe	DllHost.exe
PID 1272 wrote to memory of 724	1272	ypno.exe	citadel_1.2.0.0b.vir.exe
PID 1272 wrote to memory of 724	1272	ypno.exe	citadel_1.2.0.0b.vir.exe
PID 1272 wrote to memory of 724	1272	ypno.exe	citadel_1.2.0.0b.vir.exe
PID 1272 wrote to memory of 724	1272	ypno.exe	citadel_1.2.0.0b.vir.exe
PID 1272 wrote to memory of 724	1272	ypno.exe	citadel_1.2.0.0b.vir.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 724 wrote to memory of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe
PID 1272 wrote to memory of 2596	1272	ypno.exe	Conhost.exe
PID 1272 wrote to memory of 2596	1272	ypno.exe	Conhost.exe
PID 1272 wrote to memory of 2596	1272	ypno.exe	Conhost.exe
PID 1272 wrote to memory of 2596	1272	ypno.exe	Conhost.exe
PID 1272 wrote to memory of 2596	1272	ypno.exe	Conhost.exe

Executes dropped EXE 1 IoCs

Processes:

ypno.exe

pid process

1272 ypno.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

citadel_1.2.0.0b.vir.exe

description pid process target process

PID 724 set thread context of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe

pid	process
1272	ypno.exe

description	pid	process	target process
PID 724 set thread context of 2500	724	citadel_1.2.0.0b.vir.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

citadel_1.2.0.0b.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy	citadel_1.2.0.0b.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	citadel_1.2.0.0b.vir.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ypno.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run	ypno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	ypno.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuihrao = "C:\\Users\\Admin\\AppData\\Roaming\\Ikvo\\ypno.exe"	ypno.exe

Suspicious behavior: EnumeratesProcesses 66 IoCs

Processes:

citadel_1.2.0.0b.vir.exeypno.exe

pid	process
724	citadel_1.2.0.0b.vir.exe
724	citadel_1.2.0.0b.vir.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
724	citadel_1.2.0.0b.vir.exe
724	citadel_1.2.0.0b.vir.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe
1272	ypno.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

citadel_1.2.0.0b.vir.exe

description	pid	process
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe
Token: SeSecurityPrivilege	724	citadel_1.2.0.0b.vir.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2752

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0b.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0b.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe
"C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp460dc7ad.bat"
3⤵
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2596

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3700

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ciob\xeha.xel

Download Submit
C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe

Download Submit
memory/1272-0-0x0000000000000000-mapping.dmp

Download
memory/2500-3-0x0000000000540000-0x000000000058A000-memory.dmp

Filesize
296KB

Download
memory/2500-4-0x000000000055262B-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads