Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
Heist Editor 3.6.3.1Community.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Heist Editor 3.6.3.1Community.exe
Resource
win10v2004-20240611-en
General
-
Target
Heist Editor 3.6.3.1Community.exe
-
Size
8.4MB
-
MD5
e2a942481a3c1489bce0adea0bb9e8ce
-
SHA1
29970574fe0f8c0f4597b4cd8c4694e9d746dd00
-
SHA256
558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f
-
SHA512
18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce
-
SSDEEP
196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Heist Editor 3.6.3.1Community.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Heist Editor 3.6.3.1Community.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Heist Editor 3.6.3.1Community.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Heist Editor 3.6.3.1Community.exe -
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Heist Editor 3.6.3.1Community.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process File opened for modification \??\PhysicalDrive0 Heist Editor 3.6.3.1Community.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Heist Editor 3.6.3.1Community.exepid process 3016 Heist Editor 3.6.3.1Community.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 44 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000a85881811100557365727300600008000400efbeee3a851aa85881812a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000e158ae1c100041646d696e00380008000400efbea8588181e158ae1c2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2772 notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exeHeist Editor 3.6.3.1Community.exepid process 2776 explorer.exe 3016 Heist Editor 3.6.3.1Community.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Heist Editor 3.6.3.1Community.exepid process 3016 Heist Editor 3.6.3.1Community.exe 3016 Heist Editor 3.6.3.1Community.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Heist Editor 3.6.3.1Community.execmd.execmd.exedescription pid process target process PID 3016 wrote to memory of 2116 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3016 wrote to memory of 2116 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3016 wrote to memory of 2116 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 2116 wrote to memory of 2664 2116 cmd.exe explorer.exe PID 2116 wrote to memory of 2664 2116 cmd.exe explorer.exe PID 2116 wrote to memory of 2664 2116 cmd.exe explorer.exe PID 3016 wrote to memory of 2612 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3016 wrote to memory of 2612 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3016 wrote to memory of 2612 3016 Heist Editor 3.6.3.1Community.exe cmd.exe PID 2612 wrote to memory of 2772 2612 cmd.exe notepad.exe PID 2612 wrote to memory of 2772 2612 cmd.exe notepad.exe PID 2612 wrote to memory of 2772 2612 cmd.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe"C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer /select,C:\Users\Admin\HELanguage.hel3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\HELanguage.hel3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\HELanguage.helFilesize
10KB
MD5e48671f08c254445aab192942dbf6059
SHA1e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f
SHA2567c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc
SHA512d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6
-
C:\Users\Admin\HEModel.hemFilesize
1KB
MD55d1a149f3203d84bd7a15c0f33398732
SHA1ffb7ce1713781e256a8318b00364c11ff8c2c245
SHA25677fff2b08f004f4cb4d695063e4f08d55271a5ad93273391e9a9e47c32b7e190
SHA5128ed13f99e8fde319f1369231b1886e67e7333a48dccd5a242a0e531f9efda788ea9389b41a2043886a84d61fd6c90119461840d2443478deb7c1a7a811279901
-
C:\Users\Admin\HEVehicle.hevFilesize
114B
MD5cf7f9aee23075a7915cb46cc438c794b
SHA17cd29eac5c4ca59ce23ccd3a51fd53d4ed3608d4
SHA256fbfa926cc6ace7c9ebd9c4ec2003370e21aa2d580e624eaa262045cb034c85de
SHA512bcfc09ff5a0d5a5a9723f2f15104342454211810ef99f99a4094c78bfdad2f85fefbfa295a00ee0c1aeb66d6f878fa9c123e6e8ac1b109bd81040cf4541fb5c6
-
C:\Users\Admin\HE_Config.hecFilesize
71B
MD5094acb45fe35409f4f9fa34365cda714
SHA1afe86528e78075b38afbe92f9df4433aa5843932
SHA256deae8f9d469a291e3d2e0fd8606153e6d29c3560a32786043e7fe0557955195e
SHA51215576071836ccef7ddf13faebb58a2e0a40468539a364f76cb9683bc913f0dbd8d9106e8b8aed2d56dcd1368981f480ec80f21954da5661be8eb89c0ae686b11
-
memory/2776-18-0x0000000003A10000-0x0000000003A20000-memory.dmpFilesize
64KB
-
memory/3016-7-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-10-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-9-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-6-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-8-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-5-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-2-0x0000000077150000-0x0000000077152000-memory.dmpFilesize
8KB
-
memory/3016-4-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-3-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-1-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-22-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-23-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB
-
memory/3016-25-0x000000013F390000-0x000000014083E000-memory.dmpFilesize
20.7MB