558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heist Editor 3.6.3.1Community.exe
Size

8.4MB
MD5

e2a942481a3c1489bce0adea0bb9e8ce
SHA1

29970574fe0f8c0f4597b4cd8c4694e9d746dd00
SHA256

558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f
SHA512

18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce
SSDEEP

196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Heist Editor 3.6.3.1Community.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Heist Editor 3.6.3.1Community.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Heist Editor 3.6.3.1Community.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Heist Editor 3.6.3.1Community.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Heist Editor 3.6.3.1Community.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Heist Editor 3.6.3.1Community.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Heist Editor 3.6.3.1Community.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Heist Editor 3.6.3.1Community.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Heist Editor 3.6.3.1Community.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Heist Editor 3.6.3.1Community.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Heist Editor 3.6.3.1Community.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Heist Editor 3.6.3.1Community.exe

pid process

3512 Heist Editor 3.6.3.1Community.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Heist Editor 3.6.3.1Community.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Heist Editor 3.6.3.1Community.exe

pid	process
3512	Heist Editor 3.6.3.1Community.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 26 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e158b01c100041646d696e003c0009000400efbecb58c394e158b01c2e0000006ae101000000010000000000000000000000000000005c2b5900410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000cb58c3941100557365727300640009000400efbe874f7748e158ad1c2e000000c70500000000010000000000000000003a000000000014937a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1736 notepad.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3092 explorer.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Heist Editor 3.6.3.1Community.exeexplorer.exe

pid process

3512 Heist Editor 3.6.3.1Community.exe
3512 Heist Editor 3.6.3.1Community.exe
3092 explorer.exe
3092 explorer.exe

pid	process
1736	notepad.exe

pid	process
3092	explorer.exe

pid	process
3512	Heist Editor 3.6.3.1Community.exe
3512	Heist Editor 3.6.3.1Community.exe
3092	explorer.exe
3092	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Heist Editor 3.6.3.1Community.execmd.execmd.exe

description	pid	process	target process
PID 3512 wrote to memory of 4584	3512	Heist Editor 3.6.3.1Community.exe	cmd.exe
PID 3512 wrote to memory of 4584	3512	Heist Editor 3.6.3.1Community.exe	cmd.exe
PID 4584 wrote to memory of 2536	4584	cmd.exe	explorer.exe
PID 4584 wrote to memory of 2536	4584	cmd.exe	explorer.exe
PID 3512 wrote to memory of 3320	3512	Heist Editor 3.6.3.1Community.exe	cmd.exe
PID 3512 wrote to memory of 3320	3512	Heist Editor 3.6.3.1Community.exe	cmd.exe
PID 3320 wrote to memory of 1736	3320	cmd.exe	notepad.exe
PID 3320 wrote to memory of 1736	3320	cmd.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe
"C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\explorer.exe
explorer /select,C:\Users\Admin\HELanguage.hel
3⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\notepad.exe
notepad C:\Users\Admin\HELanguage.hel
3⤵
- Opens file in notepad (likely ransom note)
PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HELanguage.hel
Filesize
10KB

MD5
e48671f08c254445aab192942dbf6059

SHA1
e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f

SHA256
7c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc

SHA512
d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6

Download Submit
memory/3512-8-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-4-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-3-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-5-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-6-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-1-0x00007FFD098B0000-0x00007FFD098B2000-memory.dmp

Filesize
8KB

Download
memory/3512-7-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-9-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-10-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-0-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-18-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download
memory/3512-20-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmp

Filesize
20.7MB

Download