File name:	heisenberg.exe
Full analysis:	https://app.any.run/tasks/8738ec19-4a5a-42b5-beda-c0240814719b
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Troldesh is ransomware — a malware that demands a payment in order to unlock encrypted files. It is also can search and steal information from the banking programs if such are found on the infected machine. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	August 25, 2024, 14:58:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	smb evasion pastebin xor-url mpress generic xworm remote ransomware upx troldesh shade derialock
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	02CB6D1971FB53861285F273D799CED3
SHA1:	16946DB5C16D768C0D76FAB6761C65358863FC59
SHA256:	996DE893CE9219A90FA76BEAB00295734913B55A6B85DD9C227175CF4CC93E3E
SSDEEP:	393216:oX6p5vshW6vD2CmG+pFuoM6oozwdeEEIbGHhTfwxkCE3:oUhG2CmTuh8jEEIi8kB3

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:05:12 10:17:07+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	288768
InitializedDataSize:	136704
UninitializedDataSize:	-
EntryPoint:	0x32ee0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6468) ColorBug.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	~~CB
Value: cb.exe
(PID) Process:	(6572) Cool Spot Deskmate.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Screen Babe Design
Operation:	write	Name:	DeleteList
Value:
(PID) Process:	(6572) Cool Spot Deskmate.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Screen Babe Design
Operation:	write	Name:	DeleteFolder
Value:
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AnVi
Operation:	write	Name:	Settings_0
Value: 1
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	Use FormSuggest
Value: Yes
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:	write	Name:	1601
Value: 0

PID	Process	Filename		Type
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Prank2.vbs		text
		MD5:D543DBB26E4F1A0B5C0170D7BED43F1A	SHA256:B3DB3B6D326F1C98B5EA1C8F7BBAA4F65163F6167478348382B8FA272E72326E
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Petya.exe		executable
		MD5:A92F13F3A1B3B39833D3CC336301B713	SHA256:4C1DC737915D76B7CE579ABDDABA74EAD6FDB5B519A1EA45308B8C49B950655C
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\PizDeath.exe		executable
		MD5:01B227AEC8F15CFAA65F03494F2FA7EB	SHA256:A15C2AEEF67607AAC6F960AF5AA7285D35D67DA06146AF02308BA6CC280E4D32
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Petya.A.exe		executable
		MD5:AF2379CC4D607A45AC44D62135FB7015	SHA256:26B4699A7B9EEB16E76305D843D4AB05E94D43F3201436927E13B3EBAFA90739
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Prank4.vbs		text
		MD5:507A5522C34525DB4C7F491AE8108239	SHA256:3427CEED0CA73C5492AE67691F611CAA5B08A89BD29EE067AD7C22AAAAE1A0AC
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Prank.vbs		text
		MD5:AE6CCAC3FB001BBEE932D56094F4F1DB	SHA256:CB6EC854E7800BC56DBFFF53A5F79993072EA7D15689D41D3CCD6077817D5210
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Porno DDOS.bat		text
		MD5:245A8EF029B610E7BB3F3A03AC50B263	SHA256:4968842207F0EFE0CDC83A2EE14C5D1742B446B57769A83701FB100DCD666E70
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Windows-KB2670838.msu.exe		executable
		MD5:6E49C75F701AA059FA6ED5859650B910	SHA256:F91F02FD27ADA64F36F6DF59A611FEF106FF7734833DEA825D0612E73BDFB621
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\stopantivirus.bat		text
		MD5:31F028E35C7558A1EC0EA3A32227DB45	SHA256:68FEB2C42355F24B14B0A93F927C4A830202D2511923D7253EAA590B8D6A4C01
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\PowerPoint.exe		executable
		MD5:70108103A53123201CEB2E921FCFE83C	SHA256:9C3F8DF80193C085912C9950C58051AE77C321975784CC069CEACD4F57D5861D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	168.156.42.60:80	http://168.156.42.60:80/ask?t=4&u=3&a=20&m=29fa4b95&h=0	unknown	—	—	unknown
—	—	GET	—	168.156.42.60:80	http://168.156.42.60:80/ask?t=4&u=3&a=0&m=29fa4b95&h=0	unknown	—	—	unknown
4704	Telegram.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
6480	Antivirus.exe	GET	404	104.245.107.49:80	http://searchdusty.com/avt/avt_db	unknown	—	—	whitelisted
7096	DeriaLock.exe	GET	403	162.55.0.137:80	http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/LOGON.exe	unknown	—	—	whitelisted
6480	Antivirus.exe	GET	404	104.245.107.49:80	http://searchdusty.com/avt/avt.dat	unknown	—	—	whitelisted
6480	Antivirus.exe	GET	404	104.245.107.49:80	http://searchdusty.com/avt/avtr.dat	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	OPTIONS	200	23.32.238.91:443	https://bzib.nelreports.net/api/report?cat=bingbusiness	unknown	—	—	—
7096	DeriaLock.exe	GET	403	162.55.0.137:80	http://arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	168.156.42.60:80	—	WA-K20	US	unknown
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	192.168.100.2:445	—	—	—	whitelisted
—	—	168.156.42.60:445	—	WA-K20	US	unknown
6360	rundll32.exe	192.168.100.2:80	—	—	—	whitelisted
4704	Telegram.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown
4	System	192.168.100.2:445	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
www.vikingwebscanner.com	—	malicious
ip-api.com	208.95.112.1	shared
frequentwin.com	—	unknown
fastsofgeld.com	—	unknown
highway-traffic.com	—	unknown
searchdusty.com	104.245.107.49	whitelisted
arizonacode.bplaced.net	162.55.0.137	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Attempt to connect to an external SMB server
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4704	Telegram.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
4704	Telegram.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
7096	DeriaLock.exe	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1

General Info

heisenberg.exe

02CB6D1971FB53861285F273D799CED3

16946DB5C16D768C0D76FAB6761C65358863FC59

996DE893CE9219A90FA76BEAB00295734913B55A6B85DD9C227175CF4CC93E3E

393216:oX6p5vshW6vD2CmG+pFuoM6oozwdeEEIbGHhTfwxkCE3:oUhG2CmTuh8jEEIi8kB3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Troldesh is detected

Create files in the Startup directory

UAC/LUA settings modification

Registers / Runs the DLL via REGSVR32.EXE

XORed URL has been found (YARA)

XWORM has been detected (SURICATA)

Connects to the CnC server

DERIALOCK has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Drops the executable file immediately after the start

Executing commands from a ".bat" file

Changes internet zones settings

Starts CMD.EXE for commands execution

Application launched itself

Uses TASKKILL.EXE to kill process

Starts a Microsoft application from unusual location

The system shut down or reboot

The process executes VB scripts

Starts application with an unusual extension

Uses REG/REGEDIT.EXE to modify registry

Creates a software uninstall entry

The process creates files with name similar to system file names

Creates file in the systems drive root

The executable file from the user directory is run by the CMD process

Uses WEVTUTIL.EXE to cleanup log

Creates/Modifies COM task schedule object

The process executes via Task Scheduler

Checks for external IP

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Dropped object may contain TOR URL's

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Reads Environment values

Changes the display of characters in the console

Disables trace logs

Application launched itself

Reads CPU info

Creates files in the program directory

Process checks whether UAC notifications are on

Reads the software policy settings

Mpress packer has been detected

UPX packer has been detected

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information