d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae

General

Target

BrickHillSetup.exe
Size

1.6MB
MD5

085c248832ef03881059faec18eae7ff
SHA1

8477892aadc283f5d000b2c36e4c44c370f59727
SHA256

d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
SHA512

80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
SSDEEP

24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

BrickHillSetup.tmplegacy_autoupdater.exelegacy_autoupdater.exeunins000.exe_iu14D2N.tmp

pid process

1852 BrickHillSetup.tmp
1880 legacy_autoupdater.exe
2916 legacy_autoupdater.exe
3808 unins000.exe
5048 _iu14D2N.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1852	BrickHillSetup.tmp
1880	legacy_autoupdater.exe
2916	legacy_autoupdater.exe
3808	unins000.exe
5048	_iu14D2N.tmp

Drops file in Program Files directory 6 IoCs

Processes:

BrickHillSetup.tmp_iu14D2N.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\unins000.dat	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\is-82PVJ.tmp	BrickHillSetup.tmp
File created	C:\Program Files (x86)\Brick Hill\is-79NGT.tmp	BrickHillSetup.tmp
File opened for modification	C:\Program Files (x86)\Brick Hill\unins000.dat	BrickHillSetup.tmp
File opened for modification	C:\Program Files (x86)\Brick Hill\unins000.dat	_iu14D2N.tmp

Modifies registry class 10 IoCs

Processes:

BrickHillSetup.tmp_iu14D2N.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open	BrickHillSetup.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open	_iu14D2N.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy	BrickHillSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\URL Protocol	BrickHillSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell	BrickHillSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command	BrickHillSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command\ = "C:\\Program Files (x86)\\Brick Hill\\legacy_autoupdater.exe %1"	BrickHillSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BrickHillSetup.tmp

pid process

1852 BrickHillSetup.tmp
1852 BrickHillSetup.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

legacy_autoupdater.exelegacy_autoupdater.exe

description pid process

Token: SeDebugPrivilege 1880 legacy_autoupdater.exe
Token: SeDebugPrivilege 2916 legacy_autoupdater.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

BrickHillSetup.tmp_iu14D2N.tmp

pid process

1852 BrickHillSetup.tmp
5048 _iu14D2N.tmp

pid	process
1852	BrickHillSetup.tmp
1852	BrickHillSetup.tmp

description	pid	process
Token: SeDebugPrivilege	1880	legacy_autoupdater.exe
Token: SeDebugPrivilege	2916	legacy_autoupdater.exe

pid	process
1852	BrickHillSetup.tmp
5048	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

BrickHillSetup.exeBrickHillSetup.tmpunins000.exe

description	pid	process	target process
PID 2408 wrote to memory of 1852	2408	BrickHillSetup.exe	BrickHillSetup.tmp
PID 2408 wrote to memory of 1852	2408	BrickHillSetup.exe	BrickHillSetup.tmp
PID 2408 wrote to memory of 1852	2408	BrickHillSetup.exe	BrickHillSetup.tmp
PID 1852 wrote to memory of 1880	1852	BrickHillSetup.tmp	legacy_autoupdater.exe
PID 1852 wrote to memory of 1880	1852	BrickHillSetup.tmp	legacy_autoupdater.exe
PID 1852 wrote to memory of 1880	1852	BrickHillSetup.tmp	legacy_autoupdater.exe
PID 3808 wrote to memory of 5048	3808	unins000.exe	_iu14D2N.tmp
PID 3808 wrote to memory of 5048	3808	unins000.exe	_iu14D2N.tmp
PID 3808 wrote to memory of 5048	3808	unins000.exe	_iu14D2N.tmp

C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe
"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\is-VPU23.tmp\BrickHillSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VPU23.tmp\BrickHillSetup.tmp" /SL5="$7006C,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1852

C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Program Files (x86)\Brick Hill\unins000.exe
"C:\Program Files (x86)\Brick Hill\unins000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Brick Hill\unins000.exe" /FIRSTPHASEWND=$A01DC
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe
Filesize
739KB

MD5
89fa4ff754a6c62e9bfeaac61e7faccf

SHA1
eaf18795d6442324429f44cda43d6cc36471f7e4

SHA256
b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d

SHA512
dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1

Download Submit
C:\Program Files (x86)\Brick Hill\unins000.dat
Filesize
1KB

MD5
a1698e24e67cc9e02958377a2be57077

SHA1
2e282122253148bf5c9dd3ca6ed358e26beceb99

SHA256
7b70cb92a1131e9860a0999c7d6b9467416fe3baf61876a865f35b3591e294cf

SHA512
4a390488baa2a6b50b6c5e0859b0dc988d417f580294757557405941b94e275f73f209dd76c0379ec06a5ca09a35d727576e5e0e7ef22ffeece05a2b623758a7

Download Submit
C:\Program Files (x86)\Brick Hill\unins000.exe
Filesize
3.0MB

MD5
b8d4d91a34b55b7e120e48b9939d8de9

SHA1
8060ad07c6184c8b4293856a0b12b4fbc3bc1e17

SHA256
cc565ffb8045c64a1e5ddf149c1be1b4a7de3fa99e5b9b320d0be1bd850ae537

SHA512
f31ed8ddf41ab77611d388cbdb0cbab91f51f6cece67af917b47eea845d7d60586766b566a5187bb0ae81df3d9979e96d0af72d3a98215feb8fcb713b25b9a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legacy_autoupdater.exe.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VPU23.tmp\BrickHillSetup.tmp
Filesize
3.0MB

MD5
7e06750376491b308c2a6e35eca13b1b

SHA1
36ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47

SHA256
628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac

SHA512
a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0

Download Submit
C:\Users\Admin\AppData\Roaming\Brick Hill\version
Filesize
10B

MD5
d40e2bfd2a8802c4fc7edf43711ff88a

SHA1
ce02401e290a0b6e891cf14646bdcf70a83e330a

SHA256
ce45fa3402aa2c306d022092afc47400efbf1e42e3d27cc1a4bd377b163a2b75

SHA512
a4546c33ec5d961b09d9e2a2d36d57d2a75c889e05397b16b64817a18713f4cc6a29531bd8a6167c55ef012b8eb5704b345e5c20796342ccdd5f9bf85129d61b

Download Submit
memory/1852-29-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/1852-6-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/1880-17-0x00000000733CE000-0x00000000733CF000-memory.dmp

Filesize
4KB

Download
memory/1880-21-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/1880-22-0x0000000005D20000-0x0000000005D2A000-memory.dmp

Filesize
40KB

Download
memory/1880-27-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/1880-20-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/1880-19-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/1880-18-0x0000000000F80000-0x000000000103E000-memory.dmp

Filesize
760KB

Download
memory/2408-30-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2408-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2408-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3808-43-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/5048-45-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads