Resubmissions
09-05-2024 16:32
240509-t2bf7sbe5v 709-05-2024 16:31
240509-t1q59sbe2y 709-05-2024 16:31
240509-t1dvyabd9x 709-05-2024 16:29
240509-tzhgqsee23 809-05-2024 16:28
240509-tyygkaed82 8Analysis
-
max time kernel
10s -
max time network
10s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-05-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
BrickHillSetup.exe
Resource
win11-20240508-en
General
-
Target
BrickHillSetup.exe
-
Size
1.6MB
-
MD5
085c248832ef03881059faec18eae7ff
-
SHA1
8477892aadc283f5d000b2c36e4c44c370f59727
-
SHA256
d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
-
SHA512
80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
-
SSDEEP
24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
BrickHillSetup.tmplegacy_autoupdater.exepid process 1208 BrickHillSetup.tmp 428 legacy_autoupdater.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
Processes:
BrickHillSetup.tmpdescription ioc process File created C:\Program Files (x86)\Brick Hill\is-L9KIC.tmp BrickHillSetup.tmp File opened for modification C:\Program Files (x86)\Brick Hill\unins000.dat BrickHillSetup.tmp File opened for modification C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe BrickHillSetup.tmp File created C:\Program Files (x86)\Brick Hill\unins000.dat BrickHillSetup.tmp File created C:\Program Files (x86)\Brick Hill\is-HLB7U.tmp BrickHillSetup.tmp -
Modifies registry class 6 IoCs
Processes:
BrickHillSetup.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy BrickHillSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\URL Protocol BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command BrickHillSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command\ = "C:\\Program Files (x86)\\Brick Hill\\legacy_autoupdater.exe %1" BrickHillSetup.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BrickHillSetup.tmppid process 1208 BrickHillSetup.tmp 1208 BrickHillSetup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
legacy_autoupdater.exedescription pid process Token: SeDebugPrivilege 428 legacy_autoupdater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
BrickHillSetup.tmppid process 1208 BrickHillSetup.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
BrickHillSetup.exeBrickHillSetup.tmpdescription pid process target process PID 2812 wrote to memory of 1208 2812 BrickHillSetup.exe BrickHillSetup.tmp PID 2812 wrote to memory of 1208 2812 BrickHillSetup.exe BrickHillSetup.tmp PID 2812 wrote to memory of 1208 2812 BrickHillSetup.exe BrickHillSetup.tmp PID 1208 wrote to memory of 428 1208 BrickHillSetup.tmp legacy_autoupdater.exe PID 1208 wrote to memory of 428 1208 BrickHillSetup.tmp legacy_autoupdater.exe PID 1208 wrote to memory of 428 1208 BrickHillSetup.tmp legacy_autoupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmp" /SL5="$6016A,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exeFilesize
739KB
MD589fa4ff754a6c62e9bfeaac61e7faccf
SHA1eaf18795d6442324429f44cda43d6cc36471f7e4
SHA256b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d
SHA512dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1
-
C:\Users\Admin\AppData\Local\Temp\is-M8KTC.tmp\BrickHillSetup.tmpFilesize
3.0MB
MD57e06750376491b308c2a6e35eca13b1b
SHA136ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47
SHA256628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac
SHA512a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0
-
memory/428-21-0x0000000073A60000-0x0000000074211000-memory.dmpFilesize
7.7MB
-
memory/428-17-0x0000000073A6E000-0x0000000073A6F000-memory.dmpFilesize
4KB
-
memory/428-18-0x0000000000340000-0x00000000003FE000-memory.dmpFilesize
760KB
-
memory/428-19-0x0000000005480000-0x0000000005A26000-memory.dmpFilesize
5.6MB
-
memory/428-20-0x0000000005070000-0x0000000005102000-memory.dmpFilesize
584KB
-
memory/428-22-0x0000000005260000-0x000000000526A000-memory.dmpFilesize
40KB
-
memory/428-27-0x0000000073A60000-0x0000000074211000-memory.dmpFilesize
7.7MB
-
memory/1208-7-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/1208-29-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/2812-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2812-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/2812-30-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB