heh[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

heh.exe
Size

7.0MB
MD5

f254bc9699443c9ad4a480a469107dc9
SHA1

ba452dda654cc827b3ca562036a32b3dfae28a46
SHA256

4df640d97299cfa710b92313f66c08297e02f25cc3be51e6c7bbeb7d20e950b7
SHA512

b93d7b92bf976fa8fd6f3372172bfd4ab9b579fc2025fa1ccebff344b3494c658cd0bdf7395f86eefd65941141d7c3ecbbaa9eaf00053834647e260eb9f569e3
SSDEEP

49152:QYzpt0U37BtDOY6HIPS90LKcQFW62uqhl9/7+/BOVOKQFVUYgbRQaYHetlw/6b19:jLuKiCoTtnhAgwo7KzvBz

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
heh.exe

Files

heh.exe
.exe windows x64

07330fc83ef1a8c8b4ca7b885636b9fb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlGetVersion
NtQuerySystemInformation
NtQueryInformationProcess
NtDeviceIoControlFile
RtlNtStatusToDosError
NtCancelIoFileEx
NtCreateFile
RtlVirtualUnwind
RtlLookupFunctionEntry
NtWriteFile
RtlCaptureContext

psapi

GetModuleFileNameExW
GetPerformanceInfo

powrprof

CallNtPowerInformation

advapi32

CopySid
LookupAccountSidW
GetLengthSid
IsValidSid
RegOpenKeyExW
SystemFunction036
GetTokenInformation
OpenProcessToken
RegCloseKey
RegQueryValueExW

iphlpapi

FreeMibTable
GetIfTable2
GetIfEntry2
GetAdaptersAddresses

kernel32

MultiByteToWideChar
WriteConsoleW
CreateThread
IsProcessorFeaturePresent
TlsSetValue
GetSystemTimeAsFileTime
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsGetValue
GetTickCount64
GlobalMemoryStatusEx
GetComputerNameExW
CloseHandle
GetLastError
LocalFree
GetCurrentProcessId
OpenProcess
GetProcessHeap
HeapAlloc
HeapFree
GetProcessTimes
VirtualQueryEx
ReadProcessMemory
GetSystemTimes
GetProcessIoCounters
GetSystemInfo
GetDiskFreeSpaceExW
CreateFileW
GetLogicalDrives
GetDriveTypeW
GetVolumeInformationW
DeviceIoControl
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
SleepConditionVariableSRW
TryAcquireSRWLockExclusive
GetDiskFreeSpaceA
GetVersionExA
K32EnumProcesses
AcquireSRWLockShared
ReleaseSRWLockShared
GetCurrentProcess
SetHandleInformation
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
SetFileCompletionNotificationModes
Sleep
GetModuleHandleA
GetProcAddress
ReleaseMutex
AddVectoredExceptionHandler
SetThreadStackGuarantee
SwitchToThread
GetCurrentThread
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
GetStdHandle
WaitForSingleObject
TerminateProcess
WakeAllConditionVariable
WakeConditionVariable
QueryPerformanceCounter
QueryPerformanceFrequency
HeapReAlloc
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetFinalPathNameByHandleW
GetConsoleMode
GetModuleHandleW
FormatMessageW
GetFullPathNameW

netapi32

NetUserGetLocalGroups
NetUserEnum
NetUserGetInfo
NetApiBufferFree

ole32

CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoUninitialize

oleaut32

SysFreeString
VariantClear
SysAllocString

pdh

PdhGetFormattedCounterValue
PdhOpenQueryA
PdhCloseQuery
PdhRemoveCounter
PdhAddEnglishCounterW
PdhCollectQueryData

secur32

QueryContextAttributesW
InitializeSecurityContextW
AcceptSecurityContext
LsaGetLogonSessionData
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
DecryptMessage
EncryptMessage
ApplyControlToken
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleA
FreeContextBuffer

shell32

CommandLineToArgvW

ws2_32

ioctlsocket
WSAGetLastError
WSACleanup
freeaddrinfo
getaddrinfo
setsockopt
WSAStartup
closesocket
WSASocketW
bind
connect
getsockname
getpeername
shutdown
recv
send
WSASend
WSAIoctl
getsockopt

crypt32

CertDuplicateStore
CertEnumCertificatesInStore
CertDuplicateCertificateChain
CertAddCertificateContextToStore
CertDuplicateCertificateContext
CertOpenStore
CertCloseStore
CertFreeCertificateContext
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertFreeCertificateChain

bcrypt

BCryptGenRandom

vcruntime140

__C_specific_handler
__current_exception
__current_exception_context
_CxxThrowException
__CxxFrameHandler3
memcpy
memset
memmove
memcmp

api-ms-win-crt-string-l1-1-0

wcslen
strncpy

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free
malloc

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
_set_fmode
__p__commode

api-ms-win-crt-math-l1-1-0

__setusermatherr
pow

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_configure_narrow_argv
__p___argc
_set_app_type
_seh_filter_exe
_get_initial_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
_initialize_narrow_environment
__p___argv
terminate
_crt_atexit
_register_onexit_function
_initterm_e
exit
_exit
_initterm

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 392KB - Virtual size: 392KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

07330fc83ef1a8c8b4ca7b885636b9fb

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

psapi

powrprof

advapi32

iphlpapi

kernel32

netapi32

ole32

oleaut32

pdh

secur32

shell32

ws2_32

crypt32

bcrypt

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 5.0MB - Virtual size: 5.0MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 12KB - Virtual size: 14KB

.pdata Size: 392KB - Virtual size: 392KB

.reloc Size: 28KB - Virtual size: 27KB

.text
Size: 5.0MB - Virtual size: 5.0MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 12KB - Virtual size: 14KB

.pdata
Size: 392KB - Virtual size: 392KB

.reloc
Size: 28KB - Virtual size: 27KB