54f29199668203efad1380bf8738babdd80a799cc6ffb1f0bf91356d2c438b0a

General

Target

Heist Editor 3.5.13.exe
Size

7.1MB
MD5

4dcde5b6931c088925eff336f3f768b2
SHA1

7a76a901089d9e72b82c9b305d076d8b93ae9576
SHA256

54f29199668203efad1380bf8738babdd80a799cc6ffb1f0bf91356d2c438b0a
SHA512

a75e4b6847514166f41df7b5013c0f17c6fa943aa5426105b974d0a2ade6f1965bf2f60c9f4123b96b3b224edbfb2f184974a29cc0306cf96f08debc825ef20b
SSDEEP

98304:UKBDeQ1Uk09IWIiFFIChrp7aG5yu/n1OVjv/nUBPHSFjQsBK9dpDHKBC9VPGRVvj:UMl1WFIClp735y2nIJMYp72NH39C

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Heist Editor 3.5.13.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Heist Editor 3.5.13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Heist Editor 3.5.13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Heist Editor 3.5.13.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Heist Editor 3.5.13.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Heist Editor 3.5.13.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2468	Heist Editor 3.5.13.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 740031000000000009598ab61100557365727300600008000400efbeee3a851a09598ab62a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 600031000000000009598bb6100041444d494e497e310000480008000400efbe09598ab609598bb62a000000088f010000002a000000000000000000000000000000410064006d0069006e006900730074007200610074006f007200000018000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2788	notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	Heist Editor 3.5.13.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	Heist Editor 3.5.13.exe
2468	Heist Editor 3.5.13.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2460	2468	Heist Editor 3.5.13.exe	29
PID 2468 wrote to memory of 2460	2468	Heist Editor 3.5.13.exe	29
PID 2468 wrote to memory of 2460	2468	Heist Editor 3.5.13.exe	29
PID 2460 wrote to memory of 2732	2460	cmd.exe	31
PID 2460 wrote to memory of 2732	2460	cmd.exe	31
PID 2460 wrote to memory of 2732	2460	cmd.exe	31
PID 2468 wrote to memory of 2188	2468	Heist Editor 3.5.13.exe	33
PID 2468 wrote to memory of 2188	2468	Heist Editor 3.5.13.exe	33
PID 2468 wrote to memory of 2188	2468	Heist Editor 3.5.13.exe	33
PID 2188 wrote to memory of 2788	2188	cmd.exe	35
PID 2188 wrote to memory of 2788	2188	cmd.exe	35
PID 2188 wrote to memory of 2788	2188	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.5.13.exe
"C:\Users\Admin\AppData\Local\Temp\Heist Editor 3.5.13.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Administrator\HELanguage.hel
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\explorer.exe
    explorer /select,C:\Users\Administrator\HELanguage.hel
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start notepad C:\Users\Administrator\HELanguage.hel
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\notepad.exe
    notepad C:\Users\Administrator\HELanguage.hel
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Administrator\HELanguage.hel

Filesize
8KB

MD5
3d61a855c9470a5dbeb389e5de59b18a

SHA1
1a5548ebd0a0c1e96f99944f1a7c8b461758a01f

SHA256
52bdb239f94072a7d8eccdd9ca6f151770f7ac6a64d035a8dbeaa7f5ad8ed07f

SHA512
410352cc598d12b15bfd27404b1f1016d18e4c8e455fdc4091fe6053d24a8bdab9609d7089aef7cea395a2a887e594302b4e0caf9c4693a1afd2b1a9068e22b1

Download Submit
C:\Users\Administrator\HE_Config.hec

Filesize
71B

MD5
2f0f98115f17f2869c1f59ba804af077

SHA1
ae9c81906afe9cc485d6808c62a7e2fd227ac6c6

SHA256
0805dcdc42ca47abdc3d8fe11f8e0c7a108602022f71ab349648cfdd30a75aa6

SHA512
e1403027c2f55d2dc4972b35b16e9401d0a9b5e055839e650b242fb12051051f72ef760214bf436ba9dd2b0d67daa2d55a783e782717d53966465b8c291acbfc

Download Submit
memory/2468-6-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-4-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-5-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-7-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-0-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-8-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-10-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-9-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-3-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-1-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/2468-18-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2468-19-0x000000013F340000-0x0000000140494000-memory.dmp

Filesize
17.3MB

Download
memory/2884-16-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads