Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 07:08
Behavioral task
behavioral1
Sample
bRcl.exe
Resource
win7-20231020-en
5 signatures
150 seconds
General
-
Target
bRcl.exe
-
Size
23KB
-
MD5
4147636832178d0029c0728397c563e3
-
SHA1
4caa679de73f4733eef673228164f0e2da433ff7
-
SHA256
138f3ba0bc1a8074a50b7c2d6c219c573987495dd897e594549bd2950f5d4072
-
SHA512
1c24b5834cfb88f9d0e5faf377829fc826a72167a9704669657b5a5388d1bd14e667e0581ecda207e1fd27ec038944b9661dd8510de065fd0913c47c395ba397
-
SSDEEP
384:boWSkWHa55BgDVRGipkItzY6vZg36Eh7FpmRvR6JZlbw8hqIusZzZPF:0Juk9pHRpcnuK
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
bRcl.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86230292ec2540faa33eb4bb71952fb5.exe bRcl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86230292ec2540faa33eb4bb71952fb5.exe bRcl.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bRcl.exedescription pid process Token: SeDebugPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe Token: 33 4436 bRcl.exe Token: SeIncBasePriorityPrivilege 4436 bRcl.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bRcl.exedescription pid process target process PID 4436 wrote to memory of 2988 4436 bRcl.exe netsh.exe PID 4436 wrote to memory of 2988 4436 bRcl.exe netsh.exe PID 4436 wrote to memory of 2988 4436 bRcl.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bRcl.exe"C:\Users\Admin\AppData\Local\Temp\bRcl.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bRcl.exe" "bRcl.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4436-0-0x0000000074B60000-0x0000000075111000-memory.dmpFilesize
5.7MB
-
memory/4436-1-0x0000000074B60000-0x0000000075111000-memory.dmpFilesize
5.7MB
-
memory/4436-2-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/4436-3-0x0000000074B60000-0x0000000075111000-memory.dmpFilesize
5.7MB
-
memory/4436-4-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/4436-6-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/4436-7-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB