Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 16:50
Static task
static1
Behavioral task
behavioral1
Sample
citadel_1.2.0.0b.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
citadel_1.2.0.0b.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
citadel_1.2.0.0b.vir.exe
-
Size
213KB
-
MD5
b7f755dc5616bbf10f6d11a276c88c98
-
SHA1
6a31f670e6b91d246ff88d073d6c0b0cde9e9300
-
SHA256
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
-
SHA512
a569a9049e1c5a3cd5278400a4a8d53c6b728c685aca6401896c94ddf5efd7226660feaeb3a65e30d8b652fdf7da93053b577cc08fc8b480bb4527c6efa4cc89
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
citadel_1.2.0.0b.vir.exeypno.exedescription pid process target process PID 724 wrote to memory of 1272 724 citadel_1.2.0.0b.vir.exe ypno.exe PID 724 wrote to memory of 1272 724 citadel_1.2.0.0b.vir.exe ypno.exe PID 724 wrote to memory of 1272 724 citadel_1.2.0.0b.vir.exe ypno.exe PID 1272 wrote to memory of 2736 1272 ypno.exe sihost.exe PID 1272 wrote to memory of 2736 1272 ypno.exe sihost.exe PID 1272 wrote to memory of 2736 1272 ypno.exe sihost.exe PID 1272 wrote to memory of 2736 1272 ypno.exe sihost.exe PID 1272 wrote to memory of 2736 1272 ypno.exe sihost.exe PID 1272 wrote to memory of 2752 1272 ypno.exe svchost.exe PID 1272 wrote to memory of 2752 1272 ypno.exe svchost.exe PID 1272 wrote to memory of 2752 1272 ypno.exe svchost.exe PID 1272 wrote to memory of 2752 1272 ypno.exe svchost.exe PID 1272 wrote to memory of 2752 1272 ypno.exe svchost.exe PID 1272 wrote to memory of 2876 1272 ypno.exe taskhostw.exe PID 1272 wrote to memory of 2876 1272 ypno.exe taskhostw.exe PID 1272 wrote to memory of 2876 1272 ypno.exe taskhostw.exe PID 1272 wrote to memory of 2876 1272 ypno.exe taskhostw.exe PID 1272 wrote to memory of 2876 1272 ypno.exe taskhostw.exe PID 1272 wrote to memory of 2984 1272 ypno.exe Explorer.EXE PID 1272 wrote to memory of 2984 1272 ypno.exe Explorer.EXE PID 1272 wrote to memory of 2984 1272 ypno.exe Explorer.EXE PID 1272 wrote to memory of 2984 1272 ypno.exe Explorer.EXE PID 1272 wrote to memory of 2984 1272 ypno.exe Explorer.EXE PID 1272 wrote to memory of 3152 1272 ypno.exe ShellExperienceHost.exe PID 1272 wrote to memory of 3152 1272 ypno.exe ShellExperienceHost.exe PID 1272 wrote to memory of 3152 1272 ypno.exe ShellExperienceHost.exe PID 1272 wrote to memory of 3152 1272 ypno.exe ShellExperienceHost.exe PID 1272 wrote to memory of 3152 1272 ypno.exe ShellExperienceHost.exe PID 1272 wrote to memory of 3164 1272 ypno.exe SearchUI.exe PID 1272 wrote to memory of 3164 1272 ypno.exe SearchUI.exe PID 1272 wrote to memory of 3164 1272 ypno.exe SearchUI.exe PID 1272 wrote to memory of 3164 1272 ypno.exe SearchUI.exe PID 1272 wrote to memory of 3164 1272 ypno.exe SearchUI.exe PID 1272 wrote to memory of 3472 1272 ypno.exe RuntimeBroker.exe PID 1272 wrote to memory of 3472 1272 ypno.exe RuntimeBroker.exe PID 1272 wrote to memory of 3472 1272 ypno.exe RuntimeBroker.exe PID 1272 wrote to memory of 3472 1272 ypno.exe RuntimeBroker.exe PID 1272 wrote to memory of 3472 1272 ypno.exe RuntimeBroker.exe PID 1272 wrote to memory of 3700 1272 ypno.exe DllHost.exe PID 1272 wrote to memory of 3700 1272 ypno.exe DllHost.exe PID 1272 wrote to memory of 3700 1272 ypno.exe DllHost.exe PID 1272 wrote to memory of 3700 1272 ypno.exe DllHost.exe PID 1272 wrote to memory of 3700 1272 ypno.exe DllHost.exe PID 1272 wrote to memory of 724 1272 ypno.exe citadel_1.2.0.0b.vir.exe PID 1272 wrote to memory of 724 1272 ypno.exe citadel_1.2.0.0b.vir.exe PID 1272 wrote to memory of 724 1272 ypno.exe citadel_1.2.0.0b.vir.exe PID 1272 wrote to memory of 724 1272 ypno.exe citadel_1.2.0.0b.vir.exe PID 1272 wrote to memory of 724 1272 ypno.exe citadel_1.2.0.0b.vir.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 724 wrote to memory of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe PID 1272 wrote to memory of 2596 1272 ypno.exe Conhost.exe PID 1272 wrote to memory of 2596 1272 ypno.exe Conhost.exe PID 1272 wrote to memory of 2596 1272 ypno.exe Conhost.exe PID 1272 wrote to memory of 2596 1272 ypno.exe Conhost.exe PID 1272 wrote to memory of 2596 1272 ypno.exe Conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
ypno.exepid process 1272 ypno.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_1.2.0.0b.vir.exedescription pid process target process PID 724 set thread context of 2500 724 citadel_1.2.0.0b.vir.exe cmd.exe -
Processes:
citadel_1.2.0.0b.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy citadel_1.2.0.0b.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_1.2.0.0b.vir.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ypno.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run ypno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run ypno.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuihrao = "C:\\Users\\Admin\\AppData\\Roaming\\Ikvo\\ypno.exe" ypno.exe -
Suspicious behavior: EnumeratesProcesses 66 IoCs
Processes:
citadel_1.2.0.0b.vir.exeypno.exepid process 724 citadel_1.2.0.0b.vir.exe 724 citadel_1.2.0.0b.vir.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 724 citadel_1.2.0.0b.vir.exe 724 citadel_1.2.0.0b.vir.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe 1272 ypno.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
citadel_1.2.0.0b.vir.exedescription pid process Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe Token: SeSecurityPrivilege 724 citadel_1.2.0.0b.vir.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0b.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.2.0.0b.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe"C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp460dc7ad.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Ciob\xeha.xel
-
C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe
-
C:\Users\Admin\AppData\Roaming\Ikvo\ypno.exe
-
memory/1272-0-0x0000000000000000-mapping.dmp
-
memory/2500-3-0x0000000000540000-0x000000000058A000-memory.dmpFilesize
296KB
-
memory/2500-4-0x000000000055262B-mapping.dmp