Overview

overview

10

Static

static

10

SheetRat/S...ed.exe

windows7-x64

10

SheetRat/S...ed.exe

windows10-2004-x64

10

SheetRat/S...nt.exe

windows7-x64

1

SheetRat/S...nt.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SheetRat/Server-cleaned.exe

  • Size

    1.3MB

  • MD5

    c1862c57cf6b6c302f71ef986950328f

  • SHA1

    2b5df84beb75f758e2b50f9d8c1d73cc59bf9936

  • SHA256

    f90bcd094d81b324edfa8413b4ae9a6a51a38058520b2572151a91205e9b788f

  • SHA512

    de5cd2be9933e317d48b2b8556a260a5427ca88e8653975951d9d6364cebea91e3cc500a724a7d38c314d449c84ba9cb12988f3d2425905e149f1a095f90ef2d

  • SSDEEP

    24576:YLysNT+f7momlEkmmsEnE7E7E7EUmemmmmmmIzme4jwnaKEmbToQ2:Y2sNTI7momSkmmtEQQQUmemmmmmmIzm/

Score
10/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 47 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1676
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:2780
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\system32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code Host" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code Host" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3032
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1964
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Node.js" /tr "C:\Users\Admin\Documents\xdwdPuTTY Update.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Node.js" /tr "C:\Users\Admin\Documents\xdwdPuTTY Update.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:396
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          • Suspicious behavior: EnumeratesProcesses
          PID:2888
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          • Suspicious behavior: EnumeratesProcesses
          PID:2584
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1936
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2188
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\5huwr50x.newcfg
      Filesize

      1KB

      MD5

      7cf968e0ae06a462ba72a5d7d1fdc88a

      SHA1

      95dc2fe0f93f3952e808ca85a2e76b35e06b3878

      SHA256

      87ca18aad1637b36c6e5aaa982110681d1c81e897667b9a38003f3c1052d289f

      SHA512

      49e362871abd1ea9f0ffaaa764b479ed7efaf5e179d87e8f070d0cdebc7bce26f558b1bbe649d837f39d343cb0c4fc6a67cb313f19e4e06c03f4f7f43ad12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\sojlwnil.newcfg
      Filesize

      1KB

      MD5

      3e83308de9805817d7c747a0773199ab

      SHA1

      13bd5f4085f08bdadb67ad22bba2b4d62895d533

      SHA256

      dae07fa593aaa1d8638c277d2e4c936986480528e5fb24bdfbf31971df19b81e

      SHA512

      73643a5f42f2208bc2663b20b5b49aa74c328736c0ac395774d7aa72bad6d760e997c17f5c7d479e611c5ec0c23cb7b74415f9c95fca0973ef3c84c176bdb0f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      797B

      MD5

      1dc25fcc9d2526c8def3bf40c1bfaf69

      SHA1

      8ea5d1e6b4f6aba87727fa313d40740071d46bce

      SHA256

      62f5c0be8ea24233cf5660b2d1a0d1f0e7319415f5caf14e7ae84e3c9e2632c4

      SHA512

      845b5f4eeb05d5bb57fd94fdac623d2a3b3ef9365ad4c712667f09912c21ed4d4ef242021124cef40a29fd4ecfb851e8668be854b78dae284a32ecb7e255c970

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server-cleaned.exe_Url_v01rgh5g1psgca1y4pynyjgu3xx5dv4c\1.0.0.0\user.config
      Filesize

      920B

      MD5

      db822f44e045c6bce441574f8e8614e6

      SHA1

      e74eb4fc67ddacbf01d66c82a776a04bffc13004

      SHA256

      4984544e2fa632fc296eac6050f8ba3e2f60e585d6be6ef08b49d2bce47a51a5

      SHA512

      80790a1c19b764d07243db826cbf38b224e40cf6be66984141f8d436c5f8be6af2a4be2db81eb2834cc9beb15313474c0f64d694603e1fc6287767b997adc922

      Download Submit

    • C:\Users\Admin\Desktop\Client.exe
      Filesize

      468KB

      MD5

      690a0978b18ad78295a5332fe239280e

      SHA1

      057071d4c5c43aa9e8bf6ff944576c1eda7cb676

      SHA256

      234719440af98208951742cdfb4d9954f513e701164e8e0d42a351ae14ce87ea

      SHA512

      c87a1e7772ac6e1be2a98838df9b9ea5c0f7d96f20d5bd42363f15abddb90917f16e7adc4cd9e55dee4e98f1179bdc4ae5c503e2b923a17719c74d3507d5820f

      Download Submit

    • C:\Windows\xdwd.dll
      Filesize

      136KB

      MD5

      16e5a492c9c6ae34c59683be9c51fa31

      SHA1

      97031b41f5c56f371c28ae0d62a2df7d585adaba

      SHA256

      35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

      SHA512

      20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

      Download Submit

    • \Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
      Filesize

      1.3MB

      MD5

      14393eb908e072fa3164597414bb0a75

      SHA1

      5e04e084ec44a0b29196d0c21213201240f11ba0

      SHA256

      59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

      SHA512

      f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

      Download Submit

    • memory/808-92-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/808-91-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1632-148-0x000007FEF6700000-0x000007FEF6722000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1676-9-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-80-0x000000000E9F0000-0x000000000E9F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1676-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1676-8-0x0000000008AE0000-0x0000000008DC2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1676-6-0x0000000006790000-0x00000000067BC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1676-7-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-64-0x00000000090F0000-0x0000000009110000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1676-74-0x000000000E240000-0x000000000E2F2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1676-75-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1676-76-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-77-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-78-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-79-0x000000000B200000-0x000000000B322000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1676-14-0x0000000009870000-0x00000000099BB000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1676-82-0x000000000EBC0000-0x000000000EBDA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1676-5-0x00000000055A0000-0x000000000564A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/1676-1-0x00000000001B0000-0x00000000002F8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1676-4-0x0000000073F70000-0x000000007465E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1676-3-0x0000000005010000-0x0000000005262000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1676-2-0x0000000000440000-0x000000000049C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/1936-217-0x000007FEF6700000-0x000007FEF6722000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1944-259-0x000007FEF21A0000-0x000007FEF21C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2104-90-0x0000000000CD0000-0x0000000000D4C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/2188-258-0x000007FEF21A0000-0x000007FEF21C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2512-218-0x000007FEF6700000-0x000007FEF6722000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2584-188-0x000007FEF21A0000-0x000007FEF21C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2724-189-0x000007FEF21A0000-0x000007FEF21C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2888-147-0x000007FEF6700000-0x000007FEF6722000-memory.dmp

      Filesize

      136KB

      Download