Resubmissions
02-07-2024 05:30
240702-f7gzaayakh 1002-07-2024 05:27
240702-f5tv3axhna 902-07-2024 05:22
240702-f2njwa1gnq 9Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 05:22
Behavioral task
behavioral1
Sample
Heist Editor.exe
Resource
win7-20240508-en
General
-
Target
Heist Editor.exe
-
Size
7.7MB
-
MD5
2324a543219161cd967a7c62595ab445
-
SHA1
c5cb01869eb85be735592d20f584ce478e868624
-
SHA256
880c660c294b6a8cecfd83182de82154b75ae2fcd723d34bd498e05771a2efb2
-
SHA512
47a28ccb2285ef4eb4956e820049a2725c786a36bf9bec8e755ce414899e9540e8df1ebd5d715e2863fe2d447d701044391149b0edfe9b4c8b0316e0078a8173
-
SSDEEP
196608:Su0t9MU87PZx1xYeMJhM0m7vWMBu6xi6HV5n:SuEAPZFYeMJhM0m7rPk6H7
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Heist Editor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Heist Editor.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Heist Editor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Heist Editor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Heist Editor.exe -
Processes:
resource yara_rule behavioral2/memory/2024-0-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-2-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-4-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-3-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-6-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-5-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-8-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-7-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-10-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-9-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-18-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-20-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida behavioral2/memory/2024-23-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp themida -
Processes:
Heist Editor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Heist Editor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Heist Editor.exepid process 2024 Heist Editor.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 26 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a858bc531100557365727300640009000400efbe874f7748e258f12a2e000000c70500000000010000000000000000003a0000000000070de60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e258f42a100041646d696e003c0009000400efbea858bc53e258f42a2e00000076e1010000000100000000000000000000000000000016d06400410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2984 notepad.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3556 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Heist Editor.exeexplorer.exepid process 2024 Heist Editor.exe 2024 Heist Editor.exe 3556 explorer.exe 3556 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Heist Editor.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 544 2024 Heist Editor.exe cmd.exe PID 2024 wrote to memory of 544 2024 Heist Editor.exe cmd.exe PID 544 wrote to memory of 1936 544 cmd.exe explorer.exe PID 544 wrote to memory of 1936 544 cmd.exe explorer.exe PID 2024 wrote to memory of 4740 2024 Heist Editor.exe cmd.exe PID 2024 wrote to memory of 4740 2024 Heist Editor.exe cmd.exe PID 4740 wrote to memory of 2984 4740 cmd.exe notepad.exe PID 4740 wrote to memory of 2984 4740 cmd.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\explorer.exeexplorer /select,C:\Users\Admin\HELanguage.hel3⤵PID:1936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\HELanguage.hel3⤵
- Opens file in notepad (likely ransom note)
PID:2984
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3556
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5e48671f08c254445aab192942dbf6059
SHA1e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f
SHA2567c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc
SHA512d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6