Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:33
Static task
static1
Behavioral task
behavioral1
Sample
citadel_0.0.1.0.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
citadel_0.0.1.0.vir.exe
Resource
win10
General
-
Target
citadel_0.0.1.0.vir.exe
-
Size
625KB
-
MD5
dd61ca96711aa13910635e2504959890
-
SHA1
d339d635b7870e08fa3afaf32385cefdecdd5719
-
SHA256
27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166
-
SHA512
234729276b77db8dbefaf5e56f085d0dc8eb66eecd67aaee953e1b4692c2f8bffc1693c0ff26b031426f3e1a86e26b0a102e65a6f9991674a7b61999eab4be5f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 66 IoCs
Processes:
citadel_0.0.1.0.vir.exeafadsaymafv.exepid process 3068 citadel_0.0.1.0.vir.exe 3068 citadel_0.0.1.0.vir.exe 3068 citadel_0.0.1.0.vir.exe 3068 citadel_0.0.1.0.vir.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe -
Loads dropped DLL 4 IoCs
Processes:
citadel_0.0.1.0.vir.exeafadsaymafv.exepid process 3068 citadel_0.0.1.0.vir.exe 3068 citadel_0.0.1.0.vir.exe 3828 afadsaymafv.exe 3828 afadsaymafv.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
citadel_0.0.1.0.vir.exedescription pid process Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe Token: SeSecurityPrivilege 3068 citadel_0.0.1.0.vir.exe -
Suspicious use of WriteProcessMemory 71 IoCs
Processes:
citadel_0.0.1.0.vir.exeafadsaymafv.exedescription pid process target process PID 3068 wrote to memory of 3828 3068 citadel_0.0.1.0.vir.exe afadsaymafv.exe PID 3068 wrote to memory of 3828 3068 citadel_0.0.1.0.vir.exe afadsaymafv.exe PID 3068 wrote to memory of 3828 3068 citadel_0.0.1.0.vir.exe afadsaymafv.exe PID 3828 wrote to memory of 2792 3828 afadsaymafv.exe sihost.exe PID 3828 wrote to memory of 2792 3828 afadsaymafv.exe sihost.exe PID 3828 wrote to memory of 2792 3828 afadsaymafv.exe sihost.exe PID 3828 wrote to memory of 2792 3828 afadsaymafv.exe sihost.exe PID 3828 wrote to memory of 2792 3828 afadsaymafv.exe sihost.exe PID 3828 wrote to memory of 2808 3828 afadsaymafv.exe svchost.exe PID 3828 wrote to memory of 2808 3828 afadsaymafv.exe svchost.exe PID 3828 wrote to memory of 2808 3828 afadsaymafv.exe svchost.exe PID 3828 wrote to memory of 2808 3828 afadsaymafv.exe svchost.exe PID 3828 wrote to memory of 2808 3828 afadsaymafv.exe svchost.exe PID 3828 wrote to memory of 2872 3828 afadsaymafv.exe taskhostw.exe PID 3828 wrote to memory of 2872 3828 afadsaymafv.exe taskhostw.exe PID 3828 wrote to memory of 2872 3828 afadsaymafv.exe taskhostw.exe PID 3828 wrote to memory of 2872 3828 afadsaymafv.exe taskhostw.exe PID 3828 wrote to memory of 2872 3828 afadsaymafv.exe taskhostw.exe PID 3828 wrote to memory of 3016 3828 afadsaymafv.exe Explorer.EXE PID 3828 wrote to memory of 3016 3828 afadsaymafv.exe Explorer.EXE PID 3828 wrote to memory of 3016 3828 afadsaymafv.exe Explorer.EXE PID 3828 wrote to memory of 3016 3828 afadsaymafv.exe Explorer.EXE PID 3828 wrote to memory of 3016 3828 afadsaymafv.exe Explorer.EXE PID 3828 wrote to memory of 3164 3828 afadsaymafv.exe ShellExperienceHost.exe PID 3828 wrote to memory of 3164 3828 afadsaymafv.exe ShellExperienceHost.exe PID 3828 wrote to memory of 3164 3828 afadsaymafv.exe ShellExperienceHost.exe PID 3828 wrote to memory of 3164 3828 afadsaymafv.exe ShellExperienceHost.exe PID 3828 wrote to memory of 3164 3828 afadsaymafv.exe ShellExperienceHost.exe PID 3828 wrote to memory of 3180 3828 afadsaymafv.exe SearchUI.exe PID 3828 wrote to memory of 3180 3828 afadsaymafv.exe SearchUI.exe PID 3828 wrote to memory of 3180 3828 afadsaymafv.exe SearchUI.exe PID 3828 wrote to memory of 3180 3828 afadsaymafv.exe SearchUI.exe PID 3828 wrote to memory of 3180 3828 afadsaymafv.exe SearchUI.exe PID 3828 wrote to memory of 3392 3828 afadsaymafv.exe RuntimeBroker.exe PID 3828 wrote to memory of 3392 3828 afadsaymafv.exe RuntimeBroker.exe PID 3828 wrote to memory of 3392 3828 afadsaymafv.exe RuntimeBroker.exe PID 3828 wrote to memory of 3392 3828 afadsaymafv.exe RuntimeBroker.exe PID 3828 wrote to memory of 3392 3828 afadsaymafv.exe RuntimeBroker.exe PID 3828 wrote to memory of 3616 3828 afadsaymafv.exe DllHost.exe PID 3828 wrote to memory of 3616 3828 afadsaymafv.exe DllHost.exe PID 3828 wrote to memory of 3616 3828 afadsaymafv.exe DllHost.exe PID 3828 wrote to memory of 3616 3828 afadsaymafv.exe DllHost.exe PID 3828 wrote to memory of 3616 3828 afadsaymafv.exe DllHost.exe PID 3828 wrote to memory of 3480 3828 afadsaymafv.exe backgroundTaskHost.exe PID 3828 wrote to memory of 3480 3828 afadsaymafv.exe backgroundTaskHost.exe PID 3828 wrote to memory of 3480 3828 afadsaymafv.exe backgroundTaskHost.exe PID 3828 wrote to memory of 3480 3828 afadsaymafv.exe backgroundTaskHost.exe PID 3828 wrote to memory of 3480 3828 afadsaymafv.exe backgroundTaskHost.exe PID 3828 wrote to memory of 3068 3828 afadsaymafv.exe citadel_0.0.1.0.vir.exe PID 3828 wrote to memory of 3068 3828 afadsaymafv.exe citadel_0.0.1.0.vir.exe PID 3828 wrote to memory of 3068 3828 afadsaymafv.exe citadel_0.0.1.0.vir.exe PID 3828 wrote to memory of 3068 3828 afadsaymafv.exe citadel_0.0.1.0.vir.exe PID 3828 wrote to memory of 3068 3828 afadsaymafv.exe citadel_0.0.1.0.vir.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3068 wrote to memory of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe PID 3828 wrote to memory of 3284 3828 afadsaymafv.exe Conhost.exe PID 3828 wrote to memory of 3284 3828 afadsaymafv.exe Conhost.exe PID 3828 wrote to memory of 3284 3828 afadsaymafv.exe Conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citadel_0.0.1.0.vir.exedescription pid process target process PID 3068 set thread context of 3040 3068 citadel_0.0.1.0.vir.exe cmd.exe -
Processes:
citadel_0.0.1.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy citadel_0.0.1.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" citadel_0.0.1.0.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
afadsaymafv.exepid process 3828 afadsaymafv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
afadsaymafv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run afadsaymafv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Emwyfuk = "C:\\Users\\Admin\\AppData\\Roaming\\Qeygapizkug\\afadsaymafv.exe" afadsaymafv.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_0.0.1.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe"C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc9ca44aa.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Kurauqciosxa\vyybisdico.erd
-
C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe
-
C:\Users\Admin\AppData\Roaming\Qeygapizkug\afadsaymafv.exe
-
\Users\Admin\AppData\Local\Temp\tmp1B43.tmp
-
\Users\Admin\AppData\Local\Temp\tmp1B63.tmp
-
\Users\Admin\AppData\Local\Temp\tmp606.tmp
-
\Users\Admin\AppData\Local\Temp\tmp636.tmp
-
memory/3040-7-0x0000000000340000-0x0000000000384000-memory.dmpFilesize
272KB
-
memory/3040-8-0x000000000035BAEC-mapping.dmp
-
memory/3828-2-0x0000000000000000-mapping.dmp