Overview

overview

7

Static

static

3

BrickHillSetup.exe

windows11-21h2-x64

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2024 11:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    BrickHillSetup.exe

  • Size

    1.6MB

  • MD5

    085c248832ef03881059faec18eae7ff

  • SHA1

    8477892aadc283f5d000b2c36e4c44c370f59727

  • SHA256

    d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae

  • SHA512

    80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f

  • SSDEEP

    24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmp" /SL5="$A0082,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
      2⤵
      • Executes dropped EXE
      PID:2132
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:3796
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:2592
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:988
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        "C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
        1⤵
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2632
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1092
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:4264
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:1224
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa3a22055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:2064

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\$SysReset\Logs\ResetConfig.ini
            Filesize

            186B

            MD5

            47069918e9e83eb02bff5ce5498c9bbd

            SHA1

            17ffee2e0ddfec27bba8c1a3550d57c7f92960d5

            SHA256

            e7688a4bb28fbb7b562886e29da34887d6189a52041de39b538d5c2caf3c932e

            SHA512

            7a0d2ed36988aa921e0e09779bb8defe38133c8f6add2159cceeee59f5083d391fea2f7bee961b5bba4767e75eea8a2670e7900290c17ce7cc80fae7e037a4c1

            Download Submit
          • C:\$SysReset\Logs\ResetConfig.ini
            Filesize

            139B

            MD5

            27789b9569864c5733c5b4b70aca6f29

            SHA1

            c5384b58a714aa4efde897bd6ac983c3e66c68ee

            SHA256

            3aa5a68ed86f1495e52a315e5eb8e63223a8ad9a5a088e4c86561e0d7082bf3e

            SHA512

            af48531910214538de481e547d03d59b00a5f4ca225fa206a0b2015f194243467cda48d7c8c52cebb6c9c704360aace6ce2068b604fe29b254180d4e25697a88

            Download Submit
          • C:\$SysReset\Logs\setupact.log
            Filesize

            115KB

            MD5

            6b88dcbc0d9ba3ea8f23d986e488fe75

            SHA1

            18df4da220ad9d051f8d62309e9bc9252833eecb

            SHA256

            cfb2c005a565229af303d337c126d9441b9047b674464726508be0d722c325b2

            SHA512

            3d0d5c555f41cd3bd99112b8c6d69c9418d11325accf43a54a2a1dc0a2d69d5faaa58b695fcaf1cd0cf972d96e1fabeee1d6711ca5a559b9ff1fc0f63305e17e

            Download Submit
          • C:\$SysReset\Logs\setuperr.log
            Filesize

            974B

            MD5

            22a15fcb1869f5c1428523acd43c7fe1

            SHA1

            d71638a3fc0dfe46f2be9168a9d6c9af05cc0fa2

            SHA256

            e1d6f853b25d5a44b20bb538780256b21986c69464d155c071274478c5a7a5e2

            SHA512

            d8abd0de61562c88915e34bb45296c03b1aee3ae0b4f424896cde1b96a117a8a00970d0de8837e85bd91ad22bee082034c8dbfd42bf7804ad1bf6a244403f6d7

            Download Submit
          • C:\$SysReset\ResetSession.xml
            Filesize

            7KB

            MD5

            e4711f13b214beff5cdd98870d96c775

            SHA1

            68001eb945ef5f7e61dde5b81b2e0ed936f6ab3d

            SHA256

            6417e6ac52d4aa241504d51f30882250ec02b6d4dfd53f674bf2f10ec19cecbb

            SHA512

            ad872fdd4051b23762e807f1eab2d05a3aefff0d989bd898a4f0b95cdfe81da4ac087b0a4272d2a59bf2dbbbde4893231988ec66000640729f1930791ddee833

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmp
            Filesize

            369KB

            MD5

            adb120f932d838a4f9c2fbf564c8bfb1

            SHA1

            f8dec889e5191639ce53b3e5d8a38697e5d28eaa

            SHA256

            af09dafd516de074df7dbf28cdacd1c1d5b47087cfe43450044c17be084f5f9e

            SHA512

            cc2cf65b10d104ca951adee6ee2711e6ed6bf741a1cb8283653ebc54b420ac009c7b2fba40a325dba056846d544a17e0fc4e473a140aba2600f7ca77ec617ef8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\{5CBEB16F-2428-4E42-B976-A22124BDE5F3}\ssshim.dll
            Filesize

            148KB

            MD5

            3de653713e705e001c3f0be1efc51ed3

            SHA1

            63565592c266226d36604933e51725e90010da25

            SHA256

            c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9

            SHA512

            7db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e

            Download Submit
          • C:\Windows\Logs\PBR\SessionID.xml
            Filesize

            106B

            MD5

            f62c016d8c3704840605342912496cb2

            SHA1

            52db83877c68f0c6231920d21f385aabf2295a11

            SHA256

            58e08c49e8edc95f0d7601e7da6964aefc3b309dcf05d40052a122526cdcf2f5

            SHA512

            7c33ebad61c3eab915b6387ac5a1f0c2330c2a9e5e2e961223ed6f31ea9b11e01eb28bb11db98a8bb023951fc8a0007074790a20bfc8e3a319310f90c3476ac2

            Download Submit
          • C:\Windows\Logs\PBR\Timestamp.xml
            Filesize

            42B

            MD5

            1e8e94976521234d29f736b4371d833e

            SHA1

            127994f619b96c2dd61db537edda0e6c71700ef1

            SHA256

            29227c2bca947358a7de7082eec2c490e61abb3c56f1181c600d8fedcfce5733

            SHA512

            5aa42530e4b4cd3c1173e97fe277fe22feadbb605c9803851b4cf6c992fe9fafb30bfad6b625a3a62ce7ed7adab6f4faca4737dca693a663a73a3f9a060a0daf

            Download Submit
          • C:\Windows\Logs\PBR\WinRE\bootstat.dat
            Filesize

            66KB

            MD5

            668d82b83f8c52c0e5368a44b7eaa5a4

            SHA1

            069ec5b3f9ae609baafe6e59651dd361a9c6b33f

            SHA256

            106beb7dabcde632548e4e752c3c6222936ba8ddc2cf7e4864296070bd0553e1

            SHA512

            e475a3b75a9fbd00c80da10debf287cbfa06a7d583cbc886e42db81f9e0b32f2dc6c3676181d430699bfb2ffe0c71f5e40bd80836d5c2794840d7d1ab0d9b98d

            Download Submit
          • C:\Windows\Panther\UnattendGC\diagwrn.xml
            Filesize

            12KB

            MD5

            59b76eee2c8bb5d58c83c9aa70b74f9c

            SHA1

            71a79bdd2611769d320517a1ed3989f6639d6aa7

            SHA256

            dbd958b3729f14ebb7119c736419a80f0be16240a8389c9366a90117cf365543

            SHA512

            adbd369c77d34daf2b0237e2914f58daa8d048e88671aacd1e4855c5a0321103297e59a588973c40a702c7cb5e8c5c14b0ebd27eaab2e6f9ae427c83ca5bf793

            Download Submit
          • C:\Windows\System32\Recovery\ReAgent.xml
            Filesize

            1KB

            MD5

            8e90c41bcb27192c11c4d2658c8eab9c

            SHA1

            47b03a04a351b5809d3b2b881e51f08e3a59ce29

            SHA256

            5f0dc356410e6b895c5c64bfefeb715d100ec76745892f42e571fd20abdc6687

            SHA512

            157417de446163d08f5d0aa6868fa8afe7f89425c828d1c39001aaac6f3a6870f8c4bcb4406944438b9fba74e7cbf7243f89aae89b5527511fb2a5dc08bec2a9

            Download Submit
          • memory/2132-15-0x0000000002910000-0x0000000002911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2132-9-0x0000000000400000-0x0000000000705000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/2132-6-0x0000000002910000-0x0000000002911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4736-1-0x0000000000400000-0x00000000004CC000-memory.dmp
            Filesize

            816KB

            Download
          • memory/4736-8-0x0000000000400000-0x00000000004CC000-memory.dmp
            Filesize

            816KB

            Download