Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 04:08
Behavioral task
behavioral1
Sample
bRce.exe
Resource
win7-20231023-en
5 signatures
150 seconds
General
-
Target
bRce.exe
-
Size
23KB
-
MD5
37bbdd80623474e7b479915629b4346e
-
SHA1
a6ce0e8167530a7fdd57243a1fa551364e0e1943
-
SHA256
7b98971fec556ad5d6e994853395525da068c2f3e1cfd92b6388c37934e14533
-
SHA512
498160664478a1d134ee0ef1574ae1367c222f435bbf631566234ff5ed96b95fef1b7d9ce599e7c4ffc733fd2fd89e7ec971879e2beac51b51c0eb41b0a6bd9c
-
SSDEEP
384:GcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZRsYC:J30py6vhxaRpcnu0hC
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
bRce.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745fb02f1b6366ca13f958bd219cc7b3.exe bRce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745fb02f1b6366ca13f958bd219cc7b3.exe bRce.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bRce.exedescription pid process Token: SeDebugPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe Token: 33 536 bRce.exe Token: SeIncBasePriorityPrivilege 536 bRce.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bRce.exedescription pid process target process PID 536 wrote to memory of 3176 536 bRce.exe netsh.exe PID 536 wrote to memory of 3176 536 bRce.exe netsh.exe PID 536 wrote to memory of 3176 536 bRce.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bRce.exe"C:\Users\Admin\AppData\Local\Temp\bRce.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bRce.exe" "bRce.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-0-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/536-1-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/536-2-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB
-
memory/536-4-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/536-5-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/536-6-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB
-
memory/536-7-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB
-
memory/536-8-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB