Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
Heist Editor 3.6.3.1Community.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Heist Editor 3.6.3.1Community.exe
Resource
win10v2004-20240611-en
General
-
Target
Heist Editor 3.6.3.1Community.exe
-
Size
8.4MB
-
MD5
e2a942481a3c1489bce0adea0bb9e8ce
-
SHA1
29970574fe0f8c0f4597b4cd8c4694e9d746dd00
-
SHA256
558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f
-
SHA512
18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce
-
SSDEEP
196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Heist Editor 3.6.3.1Community.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Heist Editor 3.6.3.1Community.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Heist Editor 3.6.3.1Community.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Heist Editor 3.6.3.1Community.exe -
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Heist Editor 3.6.3.1Community.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Heist Editor 3.6.3.1Community.exedescription ioc process File opened for modification \??\PhysicalDrive0 Heist Editor 3.6.3.1Community.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Heist Editor 3.6.3.1Community.exepid process 3512 Heist Editor 3.6.3.1Community.exe -
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe -
Modifies registry class 26 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e158b01c100041646d696e003c0009000400efbecb58c394e158b01c2e0000006ae101000000010000000000000000000000000000005c2b5900410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000cb58c3941100557365727300640009000400efbe874f7748e158ad1c2e000000c70500000000010000000000000000003a000000000014937a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1736 notepad.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3092 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Heist Editor 3.6.3.1Community.exeexplorer.exepid process 3512 Heist Editor 3.6.3.1Community.exe 3512 Heist Editor 3.6.3.1Community.exe 3092 explorer.exe 3092 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Heist Editor 3.6.3.1Community.execmd.execmd.exedescription pid process target process PID 3512 wrote to memory of 4584 3512 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3512 wrote to memory of 4584 3512 Heist Editor 3.6.3.1Community.exe cmd.exe PID 4584 wrote to memory of 2536 4584 cmd.exe explorer.exe PID 4584 wrote to memory of 2536 4584 cmd.exe explorer.exe PID 3512 wrote to memory of 3320 3512 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3512 wrote to memory of 3320 3512 Heist Editor 3.6.3.1Community.exe cmd.exe PID 3320 wrote to memory of 1736 3320 cmd.exe notepad.exe PID 3320 wrote to memory of 1736 3320 cmd.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe"C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.6.3.1Community.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer /select,C:\Users\Admin\HELanguage.hel3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\HELanguage.hel3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\HELanguage.helFilesize
10KB
MD5e48671f08c254445aab192942dbf6059
SHA1e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f
SHA2567c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc
SHA512d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6
-
memory/3512-8-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-4-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-3-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-5-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-6-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-1-0x00007FFD098B0000-0x00007FFD098B2000-memory.dmpFilesize
8KB
-
memory/3512-7-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-9-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-10-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-0-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-18-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB
-
memory/3512-20-0x00007FF7C6F40000-0x00007FF7C83EE000-memory.dmpFilesize
20.7MB