Analysis
-
max time kernel
150s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:26
General
-
Target
citadel_1.3.3.4.vir.exe
-
Size
207KB
-
MD5
8cbb6a23a4866968bb333f862e23b49a
-
SHA1
b9110c3340e84c56e146085adf5d25ee2de7987a
-
SHA256
3675db37a5c08fdd062e3b5aae428ca2346375c05ca2ab252ef8403d2ce655e9
-
SHA512
4c02d90f8bc906ca15eb0391f997abbf6fbae4cad62593c6c87521f0e8b8d89f97a1ca5241983f03d9f9a8b1bb63d66cc05ee2c17343a1c773e37817b944d845
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
NTFS ADS 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Deletes itself 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\citadel_1.3.3.4.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Ycula\neva.exe"C:\Users\Admin\AppData\Roaming\Ycula\neva.exe"3⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8e9469b.bat"3⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe8e9469b.bat
-
C:\Users\Admin\AppData\Roaming\Ureqku\agpa.xyr
-
C:\Users\Admin\AppData\Roaming\Ycula\neva.exe
-
C:\Users\Admin\AppData\Roaming\Ycula\neva.exe
-
\Users\Admin\AppData\Roaming\Ycula\neva.exe
-
\Users\Admin\AppData\Roaming\Ycula\neva.exe
-
memory/276-5-0x0000000003970000-0x0000000003A70000-memory.dmpFilesize
1024KB
-
memory/276-7-0x0000000003970000-0x0000000003B70000-memory.dmpFilesize
2.0MB
-
memory/276-9-0x0000000003970000-0x0000000003A70000-memory.dmpFilesize
1024KB
-
memory/276-10-0x0000000003970000-0x0000000003B70000-memory.dmpFilesize
2.0MB
-
memory/276-11-0x0000000003A70000-0x0000000003B70000-memory.dmpFilesize
1024KB
-
memory/276-15-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/276-16-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/276-17-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/276-18-0x0000000003BA0000-0x0000000003BA2000-memory.dmpFilesize
8KB
-
memory/276-19-0x0000000003F00000-0x0000000003F02000-memory.dmpFilesize
8KB
-
memory/276-20-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/276-21-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/276-22-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/276-23-0x0000000003BD0000-0x0000000003BD2000-memory.dmpFilesize
8KB
-
memory/276-24-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/276-25-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/276-26-0x0000000004150000-0x0000000004152000-memory.dmpFilesize
8KB
-
memory/276-27-0x0000000003B90000-0x0000000003B92000-memory.dmpFilesize
8KB
-
memory/276-28-0x00000000042C0000-0x00000000042C2000-memory.dmpFilesize
8KB
-
memory/276-29-0x0000000004510000-0x0000000004512000-memory.dmpFilesize
8KB
-
memory/276-30-0x00000000045A0000-0x00000000045A2000-memory.dmpFilesize
8KB
-
memory/276-31-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/276-32-0x0000000004650000-0x0000000004652000-memory.dmpFilesize
8KB
-
memory/276-33-0x0000000004670000-0x0000000004672000-memory.dmpFilesize
8KB
-
memory/276-34-0x0000000004700000-0x0000000004702000-memory.dmpFilesize
8KB
-
memory/276-35-0x0000000004820000-0x0000000004822000-memory.dmpFilesize
8KB
-
memory/276-36-0x0000000004C30000-0x0000000004C32000-memory.dmpFilesize
8KB
-
memory/276-37-0x00000000055F0000-0x00000000055F2000-memory.dmpFilesize
8KB
-
memory/276-38-0x0000000005760000-0x0000000005762000-memory.dmpFilesize
8KB
-
memory/276-39-0x0000000005770000-0x0000000005772000-memory.dmpFilesize
8KB
-
memory/276-40-0x0000000005800000-0x0000000005802000-memory.dmpFilesize
8KB
-
memory/276-41-0x0000000005810000-0x0000000005812000-memory.dmpFilesize
8KB
-
memory/276-42-0x00000000026E0000-0x00000000026E2000-memory.dmpFilesize
8KB
-
memory/276-43-0x0000000003CB0000-0x0000000003CB2000-memory.dmpFilesize
8KB
-
memory/276-44-0x00000000042F0000-0x00000000042F2000-memory.dmpFilesize
8KB
-
memory/276-45-0x0000000004300000-0x0000000004302000-memory.dmpFilesize
8KB
-
memory/276-46-0x0000000004310000-0x0000000004312000-memory.dmpFilesize
8KB
-
memory/276-47-0x0000000004320000-0x0000000004322000-memory.dmpFilesize
8KB
-
memory/276-48-0x0000000004330000-0x0000000004332000-memory.dmpFilesize
8KB
-
memory/276-49-0x0000000003970000-0x0000000003A70000-memory.dmpFilesize
1024KB
-
memory/276-51-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/276-57-0x00000000023B0000-0x00000000023C0000-memory.dmpFilesize
64KB
-
memory/1188-2-0x0000000000000000-mapping.dmp
-
memory/1988-63-0x0000000000050000-0x0000000000088000-memory.dmpFilesize
224KB
-
memory/1988-65-0x000000000005D9A6-mapping.dmp