Overview

overview

6

Static

static

4

Citadele1018.pdf

windows7-x64

1

Citadele1018.pdf

windows10-2004-x64

6

Analysis

  • max time kernel
    137s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    09/02/2023, 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Citadele1018.pdf

  • Size

    72KB

  • MD5

    4e9a48842158e4e906a737b3d388ed09

  • SHA1

    b5f1d62457154f4acb224e27266b74cb1c739784

  • SHA256

    f5765fc7ebec73760b00ed087dcb2e7dd91700ef13889b537cfb35dca73c03b7

  • SHA512

    1daf2cdddafb52b1b59e3460223fd5ab2fc1a61f6524e5711a5d6cc47cd64b0dcd1e2f62cc78f6f51fc2dd40880b36d73380800729d51b812cd3cce89940a8cc

  • SSDEEP

    1536:0Gd7qHFtOKZipQCTZ89YTVexztdT1pI0MLQF2C/hyli:1d7ibOkipQCTZ8mTVojT14VC/hf

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Citadele1018.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://portaldoaluno.visaoportal.com.br/.well-known/pki-validation/z/aspx.php
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1248 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Windows\SysWOW64\msdt.exe
          -modal 65982 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF2149.tmp -ep NetworkDiagnosticsWeb
          4⤵
          • Suspicious use of FindShellTrayWindow
          PID:1160
  • C:\Windows\SysWOW64\sdiagnhost.exe
    C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
    1⤵
      PID:1548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      115f68a14061832d7ac7e1a997834789

      SHA1

      ddfbbb34bca36d1e1b1667585cd9689144a01402

      SHA256

      33000d2878168b14a21ac0ed6f24f784537dc3189e8b98dcf0d92e6af2450f7e

      SHA512

      bcb4aeaef4d3657f08c7a1fac54f7e3a75e1b1b91d8d2d3e1a515aa0de45367a0abfc909956584df3094d9984b0d0f7c1ce42d19c46540a9178caa32fe032715

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NDF2149.tmp
      Filesize

      3KB

      MD5

      4423a9556e457494c87c4911d5e75c71

      SHA1

      ce5a38ae50ab8de73ebb52415239bcf14eefff23

      SHA256

      d552c0c354bde01ec3f3e3f853bc4e6685a495d79efe539e865c7e1c9018b588

      SHA512

      8dc1c3aa073159fc6006a79318c348da3eeff0d30ac11499c19f3d7bb4f6ff8b1614bcaad6b8ee366987a1807739d962f9056a6f486d6cef37cf592715b5a3ed

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AE79MRPI.txt
      Filesize

      605B

      MD5

      0d11d2e47d0c80eeaf0f0d8870d9583d

      SHA1

      61acc8b75ce9a472a390186cf5af77034c28af40

      SHA256

      325e60eda094e2f54d3e48399e69273e9fe6af717d675914f7df56e42309e44b

      SHA512

      7f38012ea1ee05abaede1098aa7d0c8b31fca625286ff76673dedb0e861f623a54569ef7893f049bc82a4970512e3431cd070fc52658142ae11929f2e4b275b1

      Download Submit

    • C:\Windows\TEMP\SDIAG_f611e258-ce33-4f1f-b316-b595aa212b10\NetworkDiagnosticsTroubleshoot.ps1
      Filesize

      23KB

      MD5

      1d192ce36953dbb7dc7ee0d04c57ad8d

      SHA1

      7008e759cb47bf74a4ea4cd911de158ef00ace84

      SHA256

      935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

      SHA512

      e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

      Download Submit

    • C:\Windows\TEMP\SDIAG_f611e258-ce33-4f1f-b316-b595aa212b10\UtilityFunctions.ps1
      Filesize

      52KB

      MD5

      2f7c3db0c268cf1cf506fe6e8aecb8a0

      SHA1

      fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

      SHA256

      886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

      SHA512

      322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

      Download Submit

    • C:\Windows\TEMP\SDIAG_f611e258-ce33-4f1f-b316-b595aa212b10\UtilitySetConstants.ps1
      Filesize

      2KB

      MD5

      0c75ae5e75c3e181d13768909c8240ba

      SHA1

      288403fc4bedaacebccf4f74d3073f082ef70eb9

      SHA256

      de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

      SHA512

      8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

      Download Submit

    • C:\Windows\TEMP\SDIAG_f611e258-ce33-4f1f-b316-b595aa212b10\en-US\LocalizationData.psd1
      Filesize

      5KB

      MD5

      dc9be0fdf9a4e01693cfb7d8a0d49054

      SHA1

      74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

      SHA256

      944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

      SHA512

      92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

      Download Submit

    • memory/1160-60-0x000000006DFD1000-0x000000006DFD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1548-62-0x000000006D950000-0x000000006DEFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1548-67-0x000000006D950000-0x000000006DEFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2004-54-0x0000000076651000-0x0000000076653000-memory.dmp

      Filesize

      8KB

      Download