Analysis

  • max time kernel
    34s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13-07-2020 15:51

General

  • Target

    EIC.exe

  • Size

    1.1MB

  • MD5

    179da9d044907a92d189b869932bfcdf

  • SHA1

    4c4cc099c3e32ae9e6324e723392c9fc56332800

  • SHA256

    f338a1b80c46346c5e3d7576b4726faf90a477c396f424aa1325b8cc03ae9a30

  • SHA512

    0e497080fac79e88b5b6823b7ae24deeb44b192ababd9179a2ca13a487462388b2ee3f5c4a18ac4f01b75fda6f531474bb219b7fce017e0c741eb9594d1b4571

Malware Config

Signatures

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

Processes

  • C:\Users\Admin\AppData\Local\Temp\EIC.exe
    "C:\Users\Admin\AppData\Local\Temp\EIC.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1500
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Drops startup file
      PID:476
    • C:\Users\Admin\AppData\Local\Temp\EIC.exe
      "C:\Users\Admin\AppData\Local\Temp\EIC.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: AddClipboardFormatListener
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/476-0-0x0000000000000000-mapping.dmp

  • memory/476-1-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/1012-2-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

  • memory/1012-3-0x0000000000540C00-mapping.dmp

  • memory/1012-4-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

  • memory/1012-5-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

  • memory/1012-6-0x0000000001E50000-0x0000000001EEA000-memory.dmp

    Filesize

    616KB

  • memory/1012-7-0x0000000001F82000-0x0000000001F83000-memory.dmp

    Filesize

    4KB

  • memory/1012-8-0x0000000000310000-0x00000000003A4000-memory.dmp

    Filesize

    592KB