Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
BrickHillSetup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BrickHillSetup.exe
Resource
win10v2004-20240508-en
General
-
Target
BrickHillSetup.exe
-
Size
1.6MB
-
MD5
085c248832ef03881059faec18eae7ff
-
SHA1
8477892aadc283f5d000b2c36e4c44c370f59727
-
SHA256
d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
-
SHA512
80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
-
SSDEEP
24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
BrickHillSetup.tmplegacy_autoupdater.exepid process 2368 BrickHillSetup.tmp 2920 legacy_autoupdater.exe -
Loads dropped DLL 2 IoCs
Processes:
BrickHillSetup.exeBrickHillSetup.tmppid process 1808 BrickHillSetup.exe 2368 BrickHillSetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
Processes:
BrickHillSetup.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe BrickHillSetup.tmp File created C:\Program Files (x86)\Brick Hill\unins000.dat BrickHillSetup.tmp File created C:\Program Files (x86)\Brick Hill\is-TTET3.tmp BrickHillSetup.tmp File created C:\Program Files (x86)\Brick Hill\is-0K84R.tmp BrickHillSetup.tmp File opened for modification C:\Program Files (x86)\Brick Hill\unins000.dat BrickHillSetup.tmp -
Modifies registry class 6 IoCs
Processes:
BrickHillSetup.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\URL Protocol BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command BrickHillSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy\shell\open\command\ = "C:\\Program Files (x86)\\Brick Hill\\legacy_autoupdater.exe %1" BrickHillSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\brickhill.legacy BrickHillSetup.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BrickHillSetup.tmppid process 2368 BrickHillSetup.tmp 2368 BrickHillSetup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
legacy_autoupdater.exedescription pid process Token: SeDebugPrivilege 2920 legacy_autoupdater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
BrickHillSetup.tmppid process 2368 BrickHillSetup.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BrickHillSetup.exeBrickHillSetup.tmpdescription pid process target process PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 1808 wrote to memory of 2368 1808 BrickHillSetup.exe BrickHillSetup.tmp PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe PID 2368 wrote to memory of 2920 2368 BrickHillSetup.tmp legacy_autoupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\is-HH0UB.tmp\BrickHillSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HH0UB.tmp\BrickHillSetup.tmp" /SL5="$40148,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"C:\Program Files (x86)\Brick Hill\legacy_autoupdater.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files (x86)\Brick Hill\legacy_autoupdater.exeFilesize
739KB
MD589fa4ff754a6c62e9bfeaac61e7faccf
SHA1eaf18795d6442324429f44cda43d6cc36471f7e4
SHA256b148fbcefa7934109d472fff2cc37019febb6f7a05db4d78abbf57939b0a691d
SHA512dcec885762fb86ee5077ce5053d45d30570ffad106f06038f615dc400632a2633cdff1cde48436a325fbc3cf6862d5a2e1ee2f802b6dd7361f74d1a2afcb83c1
-
\Users\Admin\AppData\Local\Temp\is-HH0UB.tmp\BrickHillSetup.tmpFilesize
3.0MB
MD57e06750376491b308c2a6e35eca13b1b
SHA136ae9cc7ac76bc97288ff1c36c4aef9cbb8b1e47
SHA256628a8a5e02456d23de8dec3a952f9e0ae3c464aa4a2ef884242e4486920828ac
SHA512a77e1d2917a5e77abb25732b056da980107550eb1e801c02f71db6c6941690fc20a4ee52700205d5c1d7f8a981b2b13c7fd6b79b582eeb1ce5f9c97f7e0ffea0
-
memory/1808-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1808-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1808-28-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2368-9-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/2368-27-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/2920-21-0x0000000000F50000-0x000000000100E000-memory.dmpFilesize
760KB