File name:	heisenberg.exe
Full analysis:	https://app.any.run/tasks/8738ec19-4a5a-42b5-beda-c0240814719b
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Troldesh is ransomware — a malware that demands a payment in order to unlock encrypted files. It is also can search and steal information from the banking programs if such are found on the infected machine. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	August 25, 2024, 14:58:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	smb evasion pastebin xor-url mpress generic xworm remote ransomware upx troldesh shade derialock
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	02CB6D1971FB53861285F273D799CED3
SHA1:	16946DB5C16D768C0D76FAB6761C65358863FC59
SHA256:	996DE893CE9219A90FA76BEAB00295734913B55A6B85DD9C227175CF4CC93E3E
SSDEEP:	393216:oX6p5vshW6vD2CmG+pFuoM6oozwdeEEIbGHhTfwxkCE3:oUhG2CmTuh8jEEIi8kB3

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:05:12 10:17:07+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	288768
InitializedDataSize:	136704
UninitializedDataSize:	-
EntryPoint:	0x32ee0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1288) heisenberg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6468) ColorBug.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	~~CB
Value: cb.exe
(PID) Process:	(6572) Cool Spot Deskmate.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Screen Babe Design
Operation:	write	Name:	DeleteList
Value:
(PID) Process:	(6572) Cool Spot Deskmate.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Screen Babe Design
Operation:	write	Name:	DeleteFolder
Value:
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AnVi
Operation:	write	Name:	Settings_0
Value: 1
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	Use FormSuggest
Value: Yes
(PID) Process:	(6480) Antivirus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:	write	Name:	1601
Value: 0

PID	Process	Filename		Type
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Petya.A.exe		executable
		MD5:AF2379CC4D607A45AC44D62135FB7015	SHA256:26B4699A7B9EEB16E76305D843D4AB05E94D43F3201436927E13B3EBAFA90739
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Prank3.vbs		text
		MD5:B7D4E96408D1C870570BC7C4A35387DC	SHA256:A50E401E8059FE456A0FB975F88258C8EBD2B73905657300808BB5BCEE3EC782
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Trololo.exe		executable
		MD5:B6D61B516D41E209B207B41D91E3B90D	SHA256:3D0EFD55BDE5FB7A73817940BAC2A901D934B496738B7C5CAB7EA0F6228E28FE
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\stopantivirus.bat		text
		MD5:31F028E35C7558A1EC0EA3A32227DB45	SHA256:68FEB2C42355F24B14B0A93F927C4A830202D2511923D7253EAA590B8D6A4C01
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\WannaCrypt0r.exe		executable
		MD5:84C82835A5D21BBCF75A61706D8AB549	SHA256:ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\scream.exe		executable
		MD5:EE4566A61663F1A2C25B3AF887A364C9	SHA256:5BC63DD48046CE906CA6F08A60919F48E7D1814690F0E1FFB2654334D119DC7E
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\You_Are_An_Idiot.exe		executable
		MD5:0CFEB0915EDBDF1A298794C1669EC632	SHA256:E90065AB6F60A1A49EA185538D6E32A6269574C96851FCB8A001A7C8A23F3084
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\PowerPoint.exe		executable
		MD5:70108103A53123201CEB2E921FCFE83C	SHA256:9C3F8DF80193C085912C9950C58051AE77C321975784CC069CEACD4F57D5861D
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Windows-KB2670838.msu.exe		executable
		MD5:6E49C75F701AA059FA6ED5859650B910	SHA256:F91F02FD27ADA64F36F6DF59A611FEF106FF7734833DEA825D0612E73BDFB621
1288	heisenberg.exe	C:\Users\admin\AppData\Local\Temp\Antivirus.exe		executable
		MD5:C7E9746B1B039B8BD1106BCA3038C38F	SHA256:B1369BD254D96F7966047AD4BE06103830136629590182D49E5CB8680529EBD4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	168.156.42.60:80	http://168.156.42.60:80/ask?t=4&u=3&a=20&m=29fa4b95&h=0	unknown	—	—	unknown
—	—	GET	—	168.156.42.60:80	http://168.156.42.60:80/ask?t=4&u=3&a=0&m=29fa4b95&h=0	unknown	—	—	unknown
6480	Antivirus.exe	GET	404	104.245.107.49:80	http://searchdusty.com/avt/avtr.dat	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	unknown
—	—	OPTIONS	200	23.32.238.91:443	https://bzib.nelreports.net/api/report?cat=bingbusiness	unknown	—	—	unknown
12192	DeriaLock.exe	GET	403	162.55.0.137:80	http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/LOGON.exe	unknown	—	—	whitelisted
7096	DeriaLock.exe	GET	403	162.55.0.137:80	http://arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt	unknown	—	—	whitelisted
7096	DeriaLock.exe	GET	403	162.55.0.137:80	http://arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt	unknown	—	—	whitelisted
4704	Telegram.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
6480	Antivirus.exe	GET	404	104.245.107.49:80	http://searchdusty.com/avt/avt.dat	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	168.156.42.60:80	—	WA-K20	US	unknown
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	192.168.100.2:445	—	—	—	whitelisted
—	—	168.156.42.60:445	—	WA-K20	US	unknown
6360	rundll32.exe	192.168.100.2:80	—	—	—	whitelisted
4704	Telegram.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown
4	System	192.168.100.2:445	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
www.vikingwebscanner.com	—	malicious
ip-api.com	208.95.112.1	shared
frequentwin.com	—	unknown
fastsofgeld.com	—	unknown
highway-traffic.com	—	unknown
searchdusty.com	104.245.107.49	whitelisted
arizonacode.bplaced.net	162.55.0.137	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Attempt to connect to an external SMB server
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4704	Telegram.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
4704	Telegram.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
6480	Antivirus.exe	Potentially Bad Traffic	ET USER_AGENTS User-Agent (Internet Explorer)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
7096	DeriaLock.exe	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1

General Info

heisenberg.exe

02CB6D1971FB53861285F273D799CED3

16946DB5C16D768C0D76FAB6761C65358863FC59

996DE893CE9219A90FA76BEAB00295734913B55A6B85DD9C227175CF4CC93E3E

393216:oX6p5vshW6vD2CmG+pFuoM6oozwdeEEIbGHhTfwxkCE3:oUhG2CmTuh8jEEIi8kB3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Create files in the Startup directory

UAC/LUA settings modification

XORed URL has been found (YARA)

Registers / Runs the DLL via REGSVR32.EXE

XWORM has been detected (SURICATA)

Connects to the CnC server

DERIALOCK has been detected (SURICATA)

Troldesh is detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Drops the executable file immediately after the start

Reads the date of Windows installation

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Changes internet zones settings

Application launched itself

Starts a Microsoft application from unusual location

The system shut down or reboot

Uses TASKKILL.EXE to kill process

The process executes VB scripts

Starts application with an unusual extension

Uses REG/REGEDIT.EXE to modify registry

Creates a software uninstall entry

The process creates files with name similar to system file names

Creates file in the systems drive root

The executable file from the user directory is run by the CMD process

Creates/Modifies COM task schedule object

Uses WEVTUTIL.EXE to cleanup log

The process executes via Task Scheduler

Checks for external IP

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Process checks computer location settings

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Dropped object may contain TOR URL's

Reads Microsoft Office registry keys

Reads Environment values

Changes the display of characters in the console

Disables trace logs

Application launched itself

Reads CPU info

Creates files in the program directory

Process checks whether UAC notifications are on

Reads the software policy settings

Mpress packer has been detected

UPX packer has been detected

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information