Analysis
-
max time kernel
34s -
max time network
122s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 15:51
Static task
static1
Behavioral task
behavioral1
Sample
EIC.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
EIC.exe
Resource
win10
General
-
Target
EIC.exe
-
Size
1.1MB
-
MD5
179da9d044907a92d189b869932bfcdf
-
SHA1
4c4cc099c3e32ae9e6324e723392c9fc56332800
-
SHA256
f338a1b80c46346c5e3d7576b4726faf90a477c396f424aa1325b8cc03ae9a30
-
SHA512
0e497080fac79e88b5b6823b7ae24deeb44b192ababd9179a2ca13a487462388b2ee3f5c4a18ac4f01b75fda6f531474bb219b7fce017e0c741eb9594d1b4571
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
EIC.exepid process 1500 EIC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EIC.exedescription pid process Token: SeDebugPrivilege 1012 EIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
EIC.exepid process 1012 EIC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
EIC.exeEIC.exepid process 1500 EIC.exe 1012 EIC.exe 1012 EIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EIC.exedescription pid process target process PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 476 1500 EIC.exe notepad.exe PID 1500 wrote to memory of 1012 1500 EIC.exe EIC.exe PID 1500 wrote to memory of 1012 1500 EIC.exe EIC.exe PID 1500 wrote to memory of 1012 1500 EIC.exe EIC.exe PID 1500 wrote to memory of 1012 1500 EIC.exe EIC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EIC.exedescription pid process target process PID 1500 set thread context of 1012 1500 EIC.exe EIC.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EIC.exepid process 1012 EIC.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1012-2-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/1012-4-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/1012-5-0x0000000000400000-0x0000000000542000-memory.dmp upx -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EIC.exe"C:\Users\Admin\AppData\Local\Temp\EIC.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
PID:476 -
C:\Users\Admin\AppData\Local\Temp\EIC.exe"C:\Users\Admin\AppData\Local\Temp\EIC.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
PID:1012