d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae

General

Target

BrickHillSetup.exe
Size

1.6MB
MD5

085c248832ef03881059faec18eae7ff
SHA1

8477892aadc283f5d000b2c36e4c44c370f59727
SHA256

d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
SHA512

80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
SSDEEP

24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

BrickHillSetup.tmplegacy_autoupdater.exe

pid process

2804 BrickHillSetup.tmp
3908 legacy_autoupdater.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2804	BrickHillSetup.tmp
3908	legacy_autoupdater.exe

Drops file in Program Files directory 5 IoCs

Processes:

BrickHillSetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\unins000.dat	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\is-K1IIK.tmp	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\is-OATUB.tmp	BrickHillSetup.tmp
File opened for modification	C:\Program Files (x86)\Brick Hill\unins000.dat	BrickHillSetup.tmp

Modifies registry class 6 IoCs

Processes:

BrickHillSetup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy	BrickHillSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\URL Protocol	BrickHillSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell	BrickHillSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open	BrickHillSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command	BrickHillSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command\ = "C:\\Program Files (x86)\\Brick Hill\\legacy_autoupdater.exe %1"	BrickHillSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BrickHillSetup.tmp

pid process

2804 BrickHillSetup.tmp
2804 BrickHillSetup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

legacy_autoupdater.exe

description pid process

Token: SeDebugPrivilege 3908 legacy_autoupdater.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

BrickHillSetup.tmp

pid process

2804 BrickHillSetup.tmp

pid	process
2804	BrickHillSetup.tmp
2804	BrickHillSetup.tmp

description	pid	process
Token: SeDebugPrivilege	3908	legacy_autoupdater.exe

pid	process
2804	BrickHillSetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

BrickHillSetup.exeBrickHillSetup.tmp

description	pid	process	target process
PID 2476 wrote to memory of 2804	2476	BrickHillSetup.exe	BrickHillSetup.tmp
PID 2476 wrote to memory of 2804	2476	BrickHillSetup.exe	BrickHillSetup.tmp
PID 2476 wrote to memory of 2804	2476	BrickHillSetup.exe	BrickHillSetup.tmp
PID 2804 wrote to memory of 3908	2804	BrickHillSetup.tmp	legacy_autoupdater.exe
PID 2804 wrote to memory of 3908	2804	BrickHillSetup.tmp	legacy_autoupdater.exe
PID 2804 wrote to memory of 3908	2804	BrickHillSetup.tmp	legacy_autoupdater.exe

C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe
"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\is-5C5PE.tmp\BrickHillSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5C5PE.tmp\BrickHillSetup.tmp" /SL5="$701EA,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2804

C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
Filesize
739KB

MD5
89fa4ff754a6c62e9bfeaac61e7faccf

SHA1
eaf18795d6442324429f44cda43d6cc36471f7e4

SHA256
b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d

SHA512
dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1

Download Submit
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
Filesize
739KB

MD5
89fa4ff754a6c62e9bfeaac61e7faccf

SHA1
eaf18795d6442324429f44cda43d6cc36471f7e4

SHA256
b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d

SHA512
dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5C5PE.tmp\BrickHillSetup.tmp
Filesize
3.0MB

MD5
7e06750376491b308c2a6e35eca13b1b

SHA1
36ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47

SHA256
628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac

SHA512
a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5C5PE.tmp\BrickHillSetup.tmp
Filesize
3.0MB

MD5
7e06750376491b308c2a6e35eca13b1b

SHA1
36ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47

SHA256
628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac

SHA512
a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0

Download Submit
memory/2476-140-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2476-151-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2476-121-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2804-145-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/2804-146-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2804-150-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/2804-126-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3908-139-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/3908-138-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/3908-141-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3908-142-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/3908-137-0x0000000000440000-0x00000000004FE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads