Analysis
-
max time kernel
25s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2023 16:15
Behavioral task
behavioral1
Sample
Eoise RP.exe
Resource
win10v2004-20230220-en
General
-
Target
Eoise RP.exe
-
Size
93KB
-
MD5
b6e38af9995b9d57ae246e480e0800f3
-
SHA1
8d0d668624671678798ce0b25e2a4e33aa8ffd33
-
SHA256
f31d6da4b820dcd1d5da0f9d1df4dcc21710594a5f50279853f7ec45ff93b131
-
SHA512
70a7643629bab293d5f0c31e324119b6b258adfa869a7714a1791e38bbdb1f400af15024a134a80cc091dc87c42fc3f45b057767dcae3e1ecdcdc56bbb3b3b1d
-
SSDEEP
768:fY3sCnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3IsGn:5CxOx6baIa9RZj00ljEwzGi1dDADDgS
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 4 IoCs
Processes:
Eoise RP.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Eoise RP.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Eoise RP.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efedbcc0b2164e2205d6d0c5aa037fabWindows Update.exe Eoise RP.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efedbcc0b2164e2205d6d0c5aa037fabWindows Update.exe Eoise RP.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Eoise RP.exepid process 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe 3348 Eoise RP.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Eoise RP.exepid process 3348 Eoise RP.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Eoise RP.exedescription pid process Token: SeDebugPrivilege 3348 Eoise RP.exe Token: 33 3348 Eoise RP.exe Token: SeIncBasePriorityPrivilege 3348 Eoise RP.exe Token: 33 3348 Eoise RP.exe Token: SeIncBasePriorityPrivilege 3348 Eoise RP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Eoise RP.exedescription pid process target process PID 3348 wrote to memory of 4208 3348 Eoise RP.exe netsh.exe PID 3348 wrote to memory of 4208 3348 Eoise RP.exe netsh.exe PID 3348 wrote to memory of 4208 3348 Eoise RP.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Eoise RP.exe"C:\Users\Admin\AppData\Local\Temp\Eoise RP.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Eoise RP.exe" "Eoise RP.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Notepad.exeFilesize
93KB
MD5b6e38af9995b9d57ae246e480e0800f3
SHA18d0d668624671678798ce0b25e2a4e33aa8ffd33
SHA256f31d6da4b820dcd1d5da0f9d1df4dcc21710594a5f50279853f7ec45ff93b131
SHA51270a7643629bab293d5f0c31e324119b6b258adfa869a7714a1791e38bbdb1f400af15024a134a80cc091dc87c42fc3f45b057767dcae3e1ecdcdc56bbb3b3b1d
-
memory/3348-134-0x0000000001230000-0x0000000001240000-memory.dmpFilesize
64KB
-
memory/3348-141-0x0000000001230000-0x0000000001240000-memory.dmpFilesize
64KB