Overview

overview

10

Static

static

10

sheet rat ...er.exe

windows10-2004-x64

7

Resubmissions

Analysis

  • max time kernel
    299s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sheet rat v2.6/Server.exe

  • Size

    1.3MB

  • MD5

    dd6667db55acaefa2d7e99dcf5d97a26

  • SHA1

    c1b281ef573df4da584294c61b5322edfed589ad

  • SHA256

    ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238

  • SHA512

    916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1

  • SSDEEP

    24576:RIVMEFyWLoQJV+fLmomlEkmmsEnE7E7E7EUmemmmmmmIDmeIjwnaKk:RWMEMWlVILmomSkmmtEQQQUmemmmmmm7

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1524
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5104
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4992
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SDRSVC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1440

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
      Filesize

      1.3MB

      MD5

      14393eb908e072fa3164597414bb0a75

      SHA1

      5e04e084ec44a0b29196d0c21213201240f11ba0

      SHA256

      59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

      SHA512

      f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

      Download Submit
    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\lt0pgh22.newcfg
      Filesize

      561B

      MD5

      2e8ab7cdc2081c09a98f6c5593909409

      SHA1

      282769c943f8ab0429315869466d042a99de95f4

      SHA256

      17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae

      SHA512

      b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config
      Filesize

      311B

      MD5

      a35bc67d130a4fb76c2c2831cbdddd55

      SHA1

      66502423bba03870522e50608212b6ee27ebf4c5

      SHA256

      e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

      SHA512

      4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

      Download Submit
    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config
      Filesize

      434B

      MD5

      cfcf8e91857f364e002065c52ff8f91c

      SHA1

      8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

      SHA256

      572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

      SHA512

      364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

      Download Submit
    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config
      Filesize

      687B

      MD5

      b18785caae8834f89e34cde89b93cafc

      SHA1

      cee194149b484295ddba88111a251986bdc0c7af

      SHA256

      105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811

      SHA512

      fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

      Download Submit
    • memory/1524-10-0x0000000008E70000-0x0000000008E9C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1524-80-0x000000000E9A0000-0x000000000EA52000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1524-7-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-8-0x0000000008170000-0x000000000821A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/1524-9-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-0-0x00000000750FE000-0x00000000750FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1524-11-0x0000000009190000-0x0000000009472000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1524-12-0x0000000009760000-0x0000000009AB4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1524-13-0x0000000008F00000-0x0000000008F22000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1524-5-0x0000000005F80000-0x00000000061D2000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1524-18-0x0000000008F40000-0x000000000908B000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1524-30-0x00000000090A0000-0x00000000090EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1524-31-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-4-0x0000000005430000-0x00000000054C2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1524-3-0x0000000004FF0000-0x000000000504C000-memory.dmp
      Filesize

      368KB

      Download
    • memory/1524-2-0x00000000055A0000-0x0000000005B44000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1524-1-0x00000000004C0000-0x0000000000608000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1524-69-0x00000000096C0000-0x00000000096FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1524-70-0x0000000009680000-0x00000000096A1000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1524-6-0x0000000005410000-0x000000000541A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1524-81-0x00000000750FE000-0x00000000750FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1524-82-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-83-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-84-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-85-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-86-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1524-101-0x000000000AF50000-0x000000000B072000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/5104-87-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-88-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-99-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-98-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-97-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-96-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-95-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-94-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-93-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5104-89-0x00000180EAA90000-0x00000180EAA91000-memory.dmp
      Filesize

      4KB

      Download