Overview

overview

5

Static

static

3

Heist Editor.exe

windows7-x64

5

Heist Editor.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2023, 14:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Heist Editor.exe

  • Size

    30.9MB

  • MD5

    d4c0321182b3ae326beb85aa1ac74388

  • SHA1

    20ffbc22836b5b5e9ac2b187abb8b17322add5c4

  • SHA256

    f8c2d4e29abfccef05e819e7f6b6fa80b447803a5d9ec914204074118f37aee1

  • SHA512

    1ee83a4fa62c2ef0b721b3a1829803425f78c2292a527adb46a96116245c49a2570e0f7866d37d7e5904400b9ec59a4cd1eafd33ce6e18783ba6c7eab3d99b5b

  • SSDEEP

    786432:+4DVfCyT8B0CiryFQgAt7X2jTiwZZPoSxi:+iVA7irBt7X2/ZZAS

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 26 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe
    "C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Administrator\HELanguage.hel
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\explorer.exe
        explorer /select,C:\Users\Administrator\HELanguage.hel
        3⤵
          PID:2784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start notepad C:\Users\Administrator\HELanguage.hel
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\system32\notepad.exe
          notepad C:\Users\Administrator\HELanguage.hel
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3060
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4360
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3064

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Administrator\HELanguage.hel
              Filesize

              7KB

              MD5

              950153c767c6300ffc42013c9ad21200

              SHA1

              fc8d5b1047830a9abeff8dae741b7efe1bc7aa8f

              SHA256

              a845f45a3332cb344d2196a1bd91ca9cc933342ff3ca5ff1b7aef45196313ad9

              SHA512

              8b3ee729eb74556f85b0e70e98e101c43cf40a0748c8cb85d4482575c5885e9ed2acc2aef3bc15e003101569cd8910e666051840a33cf681b7d49f9b04abc800

              Download Submit

            • memory/5056-133-0x00007FFD17410000-0x00007FFD17412000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-134-0x00007FFD17420000-0x00007FFD17422000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-135-0x00007FFD17430000-0x00007FFD17432000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-136-0x00007FFD17440000-0x00007FFD17442000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-137-0x00007FFD16EC0000-0x00007FFD16EC2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-138-0x00007FFD16ED0000-0x00007FFD16ED2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-139-0x00007FFD14C00000-0x00007FFD14C02000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-140-0x00007FFD14C10000-0x00007FFD14C12000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5056-141-0x0000000140000000-0x000000014343D000-memory.dmp

              Filesize

              52.2MB

              Download