880c660c294b6a8cecfd83182de82154b75ae2fcd723d34bd498e05771a2efb2

General

Target

Heist Editor.exe
Size

7.7MB
MD5

2324a543219161cd967a7c62595ab445
SHA1

c5cb01869eb85be735592d20f584ce478e868624
SHA256

880c660c294b6a8cecfd83182de82154b75ae2fcd723d34bd498e05771a2efb2
SHA512

47a28ccb2285ef4eb4956e820049a2725c786a36bf9bec8e755ce414899e9540e8df1ebd5d715e2863fe2d447d701044391149b0edfe9b4c8b0316e0078a8173
SSDEEP

196608:Su0t9MU87PZx1xYeMJhM0m7vWMBu6xi6HV5n:SuEAPZFYeMJhM0m7rPk6H7

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Heist Editor.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Heist Editor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Heist Editor.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2024-0-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-2-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-4-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-3-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-6-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-5-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-8-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-7-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-10-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-9-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-18-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-20-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida
behavioral2/memory/2024-23-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Heist Editor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2024	Heist Editor.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a858bc531100557365727300640009000400efbe874f7748e258f12a2e000000c70500000000010000000000000000003a0000000000070de60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e258f42a100041646d696e003c0009000400efbea858bc53e258f42a2e00000076e1010000000100000000000000000000000000000016d06400410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2984	notepad.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3556	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2024	Heist Editor.exe
2024	Heist Editor.exe
3556	explorer.exe
3556	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 544	2024	Heist Editor.exe	83
PID 2024 wrote to memory of 544	2024	Heist Editor.exe	83
PID 544 wrote to memory of 1936	544	cmd.exe	85
PID 544 wrote to memory of 1936	544	cmd.exe	85
PID 2024 wrote to memory of 4740	2024	Heist Editor.exe	87
PID 2024 wrote to memory of 4740	2024	Heist Editor.exe	87
PID 4740 wrote to memory of 2984	4740	cmd.exe	89
PID 4740 wrote to memory of 2984	4740	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe
"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\explorer.exe
    explorer /select,C:\Users\Admin\HELanguage.hel
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\system32\notepad.exe
    notepad C:\Users\Admin\HELanguage.hel
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HELanguage.hel

Filesize
10KB

MD5
e48671f08c254445aab192942dbf6059

SHA1
e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f

SHA256
7c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc

SHA512
d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6

Download Submit
memory/2024-5-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-7-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-4-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-3-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-6-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-0-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-8-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-2-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-10-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-9-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-1-0x00007FFD5C750000-0x00007FFD5C752000-memory.dmp

Filesize
8KB

Download
memory/2024-18-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-20-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download
memory/2024-23-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

Filesize
18.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads