Overview

overview

10

Static

static

10

SheetRat/S...ed.exe

windows7-x64

7

SheetRat/S...ed.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SheetRat/Server-cleaned.exe

  • Size

    1.3MB

  • MD5

    c1862c57cf6b6c302f71ef986950328f

  • SHA1

    2b5df84beb75f758e2b50f9d8c1d73cc59bf9936

  • SHA256

    f90bcd094d81b324edfa8413b4ae9a6a51a38058520b2572151a91205e9b788f

  • SHA512

    de5cd2be9933e317d48b2b8556a260a5427ca88e8653975951d9d6364cebea91e3cc500a724a7d38c314d449c84ba9cb12988f3d2425905e149f1a095f90ef2d

  • SSDEEP

    24576:YLysNT+f7momlEkmmsEnE7E7E7EUmemmmmmmIzme4jwnaKEmbToQ2:Y2sNTI7momSkmmtEQQQUmemmmmmmIzm/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 54 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2960
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3004
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4968
    • C:\Users\Admin\Desktop\Clien234t.exe
      "C:\Users\Admin\Desktop\Clien234t.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
      Filesize

      1.3MB

      MD5

      14393eb908e072fa3164597414bb0a75

      SHA1

      5e04e084ec44a0b29196d0c21213201240f11ba0

      SHA256

      59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

      SHA512

      f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      797B

      MD5

      1dc25fcc9d2526c8def3bf40c1bfaf69

      SHA1

      8ea5d1e6b4f6aba87727fa313d40740071d46bce

      SHA256

      62f5c0be8ea24233cf5660b2d1a0d1f0e7319415f5caf14e7ae84e3c9e2632c4

      SHA512

      845b5f4eeb05d5bb57fd94fdac623d2a3b3ef9365ad4c712667f09912c21ed4d4ef242021124cef40a29fd4ecfb851e8668be854b78dae284a32ecb7e255c970

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      920B

      MD5

      db822f44e045c6bce441574f8e8614e6

      SHA1

      e74eb4fc67ddacbf01d66c82a776a04bffc13004

      SHA256

      4984544e2fa632fc296eac6050f8ba3e2f60e585d6be6ef08b49d2bce47a51a5

      SHA512

      80790a1c19b764d07243db826cbf38b224e40cf6be66984141f8d436c5f8be6af2a4be2db81eb2834cc9beb15313474c0f64d694603e1fc6287767b997adc922

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      1KB

      MD5

      7cf968e0ae06a462ba72a5d7d1fdc88a

      SHA1

      95dc2fe0f93f3952e808ca85a2e76b35e06b3878

      SHA256

      87ca18aad1637b36c6e5aaa982110681d1c81e897667b9a38003f3c1052d289f

      SHA512

      49e362871abd1ea9f0ffaaa764b479ed7efaf5e179d87e8f070d0cdebc7bce26f558b1bbe649d837f39d343cb0c4fc6a67cb313f19e4e06c03f4f7f43ad12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      1KB

      MD5

      3e83308de9805817d7c747a0773199ab

      SHA1

      13bd5f4085f08bdadb67ad22bba2b4d62895d533

      SHA256

      dae07fa593aaa1d8638c277d2e4c936986480528e5fb24bdfbf31971df19b81e

      SHA512

      73643a5f42f2208bc2663b20b5b49aa74c328736c0ac395774d7aa72bad6d760e997c17f5c7d479e611c5ec0c23cb7b74415f9c95fca0973ef3c84c176bdb0f4

      Download Submit

    • C:\Users\Admin\Desktop\Clien234t.exe
      Filesize

      470KB

      MD5

      bd9805b967e4e04d4368ff0644bf4d34

      SHA1

      8e3a3c6fd23d5fadb2c8aa8ad8c90d5e6cff2b2a

      SHA256

      d8f17559f481040ff638839edd76bac7ef5b1b6c3ebda476bafeb9709e300811

      SHA512

      45354e8f415fb38b6b226f37b0649411029c0a1fd24b5e72927ee8d18d7ca39bd121125b6d8934bfd338ef0411f6b5696fdf12b218a9a168202fafda7f8ee18f

      Download Submit

    • C:\Users\Admin\Documents\Client.exe
      Filesize

      463KB

      MD5

      a37b445fbab5ba9da8c800c3f7c3a042

      SHA1

      ac5e59a847e137910dd3e144aeab5613c452a223

      SHA256

      ecb142afcb2bc5d2bc9b0f61cd1b75959ae9e0db988ad27dde3dfd359edc3ea2

      SHA512

      7ac5eb8d9a8a3d77de277a294d8a32e108294b4198396c52e919ef28a03b3dd3986ddf387559a330300b2ea5af44a993fd2ef3003ac7146be367afa65da79f12

      Download Submit

    • C:\Windows\System32\u9kzos.exe
      Filesize

      7.2MB

      MD5

      f6d8913637f1d5d2dc846de70ce02dc5

      SHA1

      5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

      SHA256

      4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

      SHA512

      21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

      Download Submit

    • memory/2396-156-0x0000000000B20000-0x0000000000B9C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/2960-67-0x000000000B590000-0x000000000B5CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2960-94-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-11-0x0000000008B90000-0x0000000008E72000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2960-12-0x0000000009160000-0x00000000094B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2960-13-0x0000000008900000-0x0000000008922000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2960-9-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-30-0x0000000008AA0000-0x0000000008AEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2960-18-0x0000000008940000-0x0000000008A8B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2960-31-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-8-0x0000000006760000-0x000000000680A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2960-7-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-6-0x0000000004F10000-0x0000000004F1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2960-5-0x0000000005830000-0x0000000005A82000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2960-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-68-0x000000000B550000-0x000000000B571000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2960-78-0x000000000E220000-0x000000000E2D2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2960-1-0x00000000000C0000-0x0000000000208000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2960-2-0x0000000004F80000-0x0000000005524000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2960-3-0x0000000004A80000-0x0000000004ADC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2960-138-0x000000000FEC0000-0x000000000FEDA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2960-136-0x000000000E700000-0x000000000E822000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2960-110-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-97-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-4-0x0000000005530000-0x00000000055C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2960-95-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2960-10-0x0000000008870000-0x000000000889C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2960-92-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2960-93-0x0000000074CF0000-0x00000000754A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3004-85-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-86-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-87-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-88-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-89-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-90-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-91-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-79-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-80-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-81-0x000001795F530000-0x000001795F531000-memory.dmp

      Filesize

      4KB

      Download