27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166

General

Target

citadel_0.0.1.0.vir.exe
Size

625KB
MD5

dd61ca96711aa13910635e2504959890
SHA1

d339d635b7870e08fa3afaf32385cefdecdd5719
SHA256

27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166
SHA512

234729276b77db8dbefaf5e56f085d0dc8eb66eecd67aaee953e1b4692c2f8bffc1693c0ff26b031426f3e1a86e26b0a102e65a6f9991674a7b61999eab4be5f

Score

8^/10

discovery spyware persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 66 IoCs

Processes:

citadel_0.0.1.0.vir.exeafadsaymafv.exe

pid	process
3068	citadel_0.0.1.0.vir.exe
3068	citadel_0.0.1.0.vir.exe
3068	citadel_0.0.1.0.vir.exe
3068	citadel_0.0.1.0.vir.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe
3828	afadsaymafv.exe

Loads dropped DLL 4 IoCs

Processes:

citadel_0.0.1.0.vir.exeafadsaymafv.exe

pid process

3068 citadel_0.0.1.0.vir.exe
3068 citadel_0.0.1.0.vir.exe
3828 afadsaymafv.exe
3828 afadsaymafv.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

citadel_0.0.1.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe
Token: SeSecurityPrivilege	3068	citadel_0.0.1.0.vir.exe

Suspicious use of WriteProcessMemory 71 IoCs

Processes:

citadel_0.0.1.0.vir.exeafadsaymafv.exe

description	pid	process	target process
PID 3068 wrote to memory of 3828	3068	citadel_0.0.1.0.vir.exe	afadsaymafv.exe
PID 3068 wrote to memory of 3828	3068	citadel_0.0.1.0.vir.exe	afadsaymafv.exe
PID 3068 wrote to memory of 3828	3068	citadel_0.0.1.0.vir.exe	afadsaymafv.exe
PID 3828 wrote to memory of 2792	3828	afadsaymafv.exe	sihost.exe
PID 3828 wrote to memory of 2792	3828	afadsaymafv.exe	sihost.exe
PID 3828 wrote to memory of 2792	3828	afadsaymafv.exe	sihost.exe
PID 3828 wrote to memory of 2792	3828	afadsaymafv.exe	sihost.exe
PID 3828 wrote to memory of 2792	3828	afadsaymafv.exe	sihost.exe
PID 3828 wrote to memory of 2808	3828	afadsaymafv.exe	svchost.exe
PID 3828 wrote to memory of 2808	3828	afadsaymafv.exe	svchost.exe
PID 3828 wrote to memory of 2808	3828	afadsaymafv.exe	svchost.exe
PID 3828 wrote to memory of 2808	3828	afadsaymafv.exe	svchost.exe
PID 3828 wrote to memory of 2808	3828	afadsaymafv.exe	svchost.exe
PID 3828 wrote to memory of 2872	3828	afadsaymafv.exe	taskhostw.exe
PID 3828 wrote to memory of 2872	3828	afadsaymafv.exe	taskhostw.exe
PID 3828 wrote to memory of 2872	3828	afadsaymafv.exe	taskhostw.exe
PID 3828 wrote to memory of 2872	3828	afadsaymafv.exe	taskhostw.exe
PID 3828 wrote to memory of 2872	3828	afadsaymafv.exe	taskhostw.exe
PID 3828 wrote to memory of 3016	3828	afadsaymafv.exe	Explorer.EXE
PID 3828 wrote to memory of 3016	3828	afadsaymafv.exe	Explorer.EXE
PID 3828 wrote to memory of 3016	3828	afadsaymafv.exe	Explorer.EXE
PID 3828 wrote to memory of 3016	3828	afadsaymafv.exe	Explorer.EXE
PID 3828 wrote to memory of 3016	3828	afadsaymafv.exe	Explorer.EXE
PID 3828 wrote to memory of 3164	3828	afadsaymafv.exe	ShellExperienceHost.exe
PID 3828 wrote to memory of 3164	3828	afadsaymafv.exe	ShellExperienceHost.exe
PID 3828 wrote to memory of 3164	3828	afadsaymafv.exe	ShellExperienceHost.exe
PID 3828 wrote to memory of 3164	3828	afadsaymafv.exe	ShellExperienceHost.exe
PID 3828 wrote to memory of 3164	3828	afadsaymafv.exe	ShellExperienceHost.exe
PID 3828 wrote to memory of 3180	3828	afadsaymafv.exe	SearchUI.exe
PID 3828 wrote to memory of 3180	3828	afadsaymafv.exe	SearchUI.exe
PID 3828 wrote to memory of 3180	3828	afadsaymafv.exe	SearchUI.exe
PID 3828 wrote to memory of 3180	3828	afadsaymafv.exe	SearchUI.exe
PID 3828 wrote to memory of 3180	3828	afadsaymafv.exe	SearchUI.exe
PID 3828 wrote to memory of 3392	3828	afadsaymafv.exe	RuntimeBroker.exe
PID 3828 wrote to memory of 3392	3828	afadsaymafv.exe	RuntimeBroker.exe
PID 3828 wrote to memory of 3392	3828	afadsaymafv.exe	RuntimeBroker.exe
PID 3828 wrote to memory of 3392	3828	afadsaymafv.exe	RuntimeBroker.exe
PID 3828 wrote to memory of 3392	3828	afadsaymafv.exe	RuntimeBroker.exe
PID 3828 wrote to memory of 3616	3828	afadsaymafv.exe	DllHost.exe
PID 3828 wrote to memory of 3616	3828	afadsaymafv.exe	DllHost.exe
PID 3828 wrote to memory of 3616	3828	afadsaymafv.exe	DllHost.exe
PID 3828 wrote to memory of 3616	3828	afadsaymafv.exe	DllHost.exe
PID 3828 wrote to memory of 3616	3828	afadsaymafv.exe	DllHost.exe
PID 3828 wrote to memory of 3480	3828	afadsaymafv.exe	backgroundTaskHost.exe
PID 3828 wrote to memory of 3480	3828	afadsaymafv.exe	backgroundTaskHost.exe
PID 3828 wrote to memory of 3480	3828	afadsaymafv.exe	backgroundTaskHost.exe
PID 3828 wrote to memory of 3480	3828	afadsaymafv.exe	backgroundTaskHost.exe
PID 3828 wrote to memory of 3480	3828	afadsaymafv.exe	backgroundTaskHost.exe
PID 3828 wrote to memory of 3068	3828	afadsaymafv.exe	citadel_0.0.1.0.vir.exe
PID 3828 wrote to memory of 3068	3828	afadsaymafv.exe	citadel_0.0.1.0.vir.exe
PID 3828 wrote to memory of 3068	3828	afadsaymafv.exe	citadel_0.0.1.0.vir.exe
PID 3828 wrote to memory of 3068	3828	afadsaymafv.exe	citadel_0.0.1.0.vir.exe
PID 3828 wrote to memory of 3068	3828	afadsaymafv.exe	citadel_0.0.1.0.vir.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe
PID 3828 wrote to memory of 3284	3828	afadsaymafv.exe	Conhost.exe
PID 3828 wrote to memory of 3284	3828	afadsaymafv.exe	Conhost.exe
PID 3828 wrote to memory of 3284	3828	afadsaymafv.exe	Conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

citadel_0.0.1.0.vir.exe

description pid process target process

PID 3068 set thread context of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe

description	pid	process	target process
PID 3068 set thread context of 3040	3068	citadel_0.0.1.0.vir.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

citadel_0.0.1.0.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy	citadel_0.0.1.0.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	citadel_0.0.1.0.vir.exe

Executes dropped EXE 1 IoCs

Processes:

afadsaymafv.exe

pid process

3828 afadsaymafv.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3828	afadsaymafv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

afadsaymafv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	afadsaymafv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Emwyfuk = "C:\\Users\\Admin\\AppData\\Roaming\\Qeygapizkug\\afadsaymafv.exe"	afadsaymafv.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2808

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.0.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
PID:3068

C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe
"C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run key to start application
PID:3828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc9ca44aa.bat"
3⤵
PID:3040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3284

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3164

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3616

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3480

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:688

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Kurauqciosxa\vyybisdico.erd

Download Submit
C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1B43.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1B63.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp606.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp636.tmp

Download Submit
memory/3040-7-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/3040-8-0x000000000035BAEC-mapping.dmp

Download
memory/3828-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads