Resubmissions
09-05-2024 16:32
240509-t2bf7sbe5v 709-05-2024 16:31
240509-t1q59sbe2y 709-05-2024 16:31
240509-t1dvyabd9x 709-05-2024 16:29
240509-tzhgqsee23 809-05-2024 16:28
240509-tyygkaed82 8Analysis
-
max time kernel
10s -
max time network
10s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
09-05-2024 16:32
General
-
Target
BrickHillSetup.exe
-
Size
1.6MB
-
MD5
085c248832ef03881059faec18eae7ff
-
SHA1
8477892aadc283f5d000b2c36e4c44c370f59727
-
SHA256
d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
-
SHA512
80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
-
SSDEEP
24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmp" /SL5="$6016A,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exeFilesize
739KB
MD589fa4ff754a6c62e9bfeaac61e7faccf
SHA1eaf18795d6442324429f44cda43d6cc36471f7e4
SHA256b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d
SHA512dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1
-
C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmpFilesize
3.0MB
MD57e06750376491b308c2a6e35eca13b1b
SHA136ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47
SHA256628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac
SHA512a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0
-
memory/428-21-0x0000000073A60000-0x0000000074211000-memory.dmpFilesize
7.7MB
-
memory/428-17-0x0000000073A6E000-0x0000000073A6F000-memory.dmpFilesize
4KB
-
memory/428-18-0x0000000000340000-0x00000000003FE000-memory.dmpFilesize
760KB
-
memory/428-19-0x0000000005480000-0x0000000005A26000-memory.dmpFilesize
5.6MB
-
memory/428-20-0x0000000005070000-0x0000000005102000-memory.dmpFilesize
584KB
-
memory/428-22-0x0000000005260000-0x000000000526A000-memory.dmpFilesize
40KB
-
memory/428-27-0x0000000073A60000-0x0000000074211000-memory.dmpFilesize
7.7MB
-
memory/1208-7-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/1208-29-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/2812-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2812-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/2812-30-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB