9c722efda237af4e856b06657c20ad677d6c75ea33a033e28fa3f522039b5eae

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SheetRat/Server-cleaned.exe
Size

1.3MB
MD5

c1862c57cf6b6c302f71ef986950328f
SHA1

2b5df84beb75f758e2b50f9d8c1d73cc59bf9936
SHA256

f90bcd094d81b324edfa8413b4ae9a6a51a38058520b2572151a91205e9b788f
SHA512

de5cd2be9933e317d48b2b8556a260a5427ca88e8653975951d9d6364cebea91e3cc500a724a7d38c314d449c84ba9cb12988f3d2425905e149f1a095f90ef2d
SSDEEP

24576:YLysNT+f7momlEkmmsEnE7E7E7EUmemmmmmmIzme4jwnaKEmbToQ2:Y2sNTI7momSkmmtEQQQUmemmmmmmIzm/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2304	Server-cleaned.exe
2304	Server-cleaned.exe
2304	Server-cleaned.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	Server-cleaned.exe
Token: SeDebugPrivilege	2056	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\iuuxttzx.newcfg

Filesize
1KB

MD5
7cf968e0ae06a462ba72a5d7d1fdc88a

SHA1
95dc2fe0f93f3952e808ca85a2e76b35e06b3878

SHA256
87ca18aad1637b36c6e5aaa982110681d1c81e897667b9a38003f3c1052d289f

SHA512
49e362871abd1ea9f0ffaaa764b479ed7efaf5e179d87e8f070d0cdebc7bce26f558b1bbe649d837f39d343cb0c4fc6a67cb313f19e4e06c03f4f7f43ad12fd9

Download Submit
C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config

Filesize
797B

MD5
1dc25fcc9d2526c8def3bf40c1bfaf69

SHA1
8ea5d1e6b4f6aba87727fa313d40740071d46bce

SHA256
62f5c0be8ea24233cf5660b2d1a0d1f0e7319415f5caf14e7ae84e3c9e2632c4

SHA512
845b5f4eeb05d5bb57fd94fdac623d2a3b3ef9365ad4c712667f09912c21ed4d4ef242021124cef40a29fd4ecfb851e8668be854b78dae284a32ecb7e255c970

Download Submit
C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config

Filesize
920B

MD5
db822f44e045c6bce441574f8e8614e6

SHA1
e74eb4fc67ddacbf01d66c82a776a04bffc13004

SHA256
4984544e2fa632fc296eac6050f8ba3e2f60e585d6be6ef08b49d2bce47a51a5

SHA512
80790a1c19b764d07243db826cbf38b224e40cf6be66984141f8d436c5f8be6af2a4be2db81eb2834cc9beb15313474c0f64d694603e1fc6287767b997adc922

Download Submit
C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config

Filesize
1KB

MD5
3e83308de9805817d7c747a0773199ab

SHA1
13bd5f4085f08bdadb67ad22bba2b4d62895d533

SHA256
dae07fa593aaa1d8638c277d2e4c936986480528e5fb24bdfbf31971df19b81e

SHA512
73643a5f42f2208bc2663b20b5b49aa74c328736c0ac395774d7aa72bad6d760e997c17f5c7d479e611c5ec0c23cb7b74415f9c95fca0973ef3c84c176bdb0f4

Download Submit
\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

Filesize
1.3MB

MD5
14393eb908e072fa3164597414bb0a75

SHA1
5e04e084ec44a0b29196d0c21213201240f11ba0

SHA256
59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

SHA512
f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

Download Submit
memory/2056-79-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2056-78-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2056-77-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2056-76-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2304-6-0x0000000005A70000-0x0000000005A9C000-memory.dmp

Filesize
176KB

Download
memory/2304-62-0x000000000B880000-0x000000000B8A0000-memory.dmp

Filesize
128KB

Download
memory/2304-14-0x00000000097B0000-0x00000000098FB000-memory.dmp

Filesize
1.3MB

Download
memory/2304-8-0x0000000008950000-0x0000000008C32000-memory.dmp

Filesize
2.9MB

Download
memory/2304-7-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/2304-5-0x00000000056B0000-0x000000000575A000-memory.dmp

Filesize
680KB

Download
memory/2304-9-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-72-0x000000000E5A0000-0x000000000E652000-memory.dmp

Filesize
712KB

Download
memory/2304-73-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/2304-74-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-75-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-3-0x0000000005020000-0x0000000005272000-memory.dmp

Filesize
2.3MB

Download
memory/2304-2-0x0000000000680000-0x00000000006DC000-memory.dmp

Filesize
368KB

Download
memory/2304-1-0x00000000008A0000-0x00000000009E8000-memory.dmp

Filesize
1.3MB

Download