Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 04:08
Behavioral task
behavioral1
Sample
bRce.exe
Resource
win7-20231023-en
5 signatures
150 seconds
General
-
Target
bRce.exe
-
Size
23KB
-
MD5
37bbdd80623474e7b479915629b4346e
-
SHA1
a6ce0e8167530a7fdd57243a1fa551364e0e1943
-
SHA256
7b98971fec556ad5d6e994853395525da068c2f3e1cfd92b6388c37934e14533
-
SHA512
498160664478a1d134ee0ef1574ae1367c222f435bbf631566234ff5ed96b95fef1b7d9ce599e7c4ffc733fd2fd89e7ec971879e2beac51b51c0eb41b0a6bd9c
-
SSDEEP
384:GcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZRsYC:J30py6vhxaRpcnu0hC
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
bRce.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745fb02f1b6366ca13f958bd219cc7b3.exe bRce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745fb02f1b6366ca13f958bd219cc7b3.exe bRce.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bRce.exedescription pid process Token: SeDebugPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe Token: 33 2436 bRce.exe Token: SeIncBasePriorityPrivilege 2436 bRce.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bRce.exedescription pid process target process PID 2436 wrote to memory of 2240 2436 bRce.exe netsh.exe PID 2436 wrote to memory of 2240 2436 bRce.exe netsh.exe PID 2436 wrote to memory of 2240 2436 bRce.exe netsh.exe PID 2436 wrote to memory of 2240 2436 bRce.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bRce.exe"C:\Users\Admin\AppData\Local\Temp\bRce.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bRce.exe" "bRce.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2436-0-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2436-1-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2436-2-0x0000000000CD0000-0x0000000000D10000-memory.dmpFilesize
256KB
-
memory/2436-4-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2436-5-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2436-6-0x0000000000CD0000-0x0000000000D10000-memory.dmpFilesize
256KB
-
memory/2436-7-0x0000000000CD0000-0x0000000000D10000-memory.dmpFilesize
256KB
-
memory/2436-8-0x0000000000CD0000-0x0000000000D10000-memory.dmpFilesize
256KB