6f1cdc079812115df46d5cfc629e9ed8a9ed0d8d717de8d28bc9890b5578af4d

Analysis

max time kernel
131s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sheet rat v2.6/Server.exe
Size

1.3MB
MD5

dd6667db55acaefa2d7e99dcf5d97a26
SHA1

c1b281ef573df4da584294c61b5322edfed589ad
SHA256

ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238
SHA512

916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1
SSDEEP

24576:RIVMEFyWLoQJV+fLmomlEkmmsEnE7E7E7EUmemmmmmmIDmeIjwnaKk:RWMEMWlVILmomSkmmtEQQQUmemmmmmm7

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1620	Server.exe
1620	Server.exe
1620	Server.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	Server.exe

C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe
"C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6\Server.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

Filesize
1.3MB

MD5
14393eb908e072fa3164597414bb0a75

SHA1
5e04e084ec44a0b29196d0c21213201240f11ba0

SHA256
59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

SHA512
f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

Download Submit
C:\Users\Admin\AppData\Local\GMap.NET\TileDBv5\en\Data.gmdb

Filesize
32.2MB

MD5
c1908aa6edfec3602b63e89905c888c4

SHA1
aed61a7a8eada8ef92d91830802fb4ed5bd5e764

SHA256
380d75309abcf9bd7e980b61c41f9262f56c242b4403e555dc2ad18cd310a036

SHA512
99e1971093abca7124d214b6e6445ff5b6dcc6c7f2834fe4c5a4f99e0af0e71403b16c86e3c94b135f628e5632538b38c991a4af17601a9aee942348448a6acd

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

Filesize
311B

MD5
a35bc67d130a4fb76c2c2831cbdddd55

SHA1
66502423bba03870522e50608212b6ee27ebf4c5

SHA256
e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

SHA512
4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

Filesize
434B

MD5
cfcf8e91857f364e002065c52ff8f91c

SHA1
8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

SHA256
572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

SHA512
364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

Filesize
561B

MD5
2e8ab7cdc2081c09a98f6c5593909409

SHA1
282769c943f8ab0429315869466d042a99de95f4

SHA256
17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae

SHA512
b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_021lj33rcddyjphptsucz0cmlfgti4gg\1.0.0.0\user.config

Filesize
687B

MD5
b18785caae8834f89e34cde89b93cafc

SHA1
cee194149b484295ddba88111a251986bdc0c7af

SHA256
105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811

SHA512
fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

Download Submit
memory/1620-6-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-3-0x0000000004E30000-0x0000000005082000-memory.dmp

Filesize
2.3MB

Download
memory/1620-8-0x0000000008970000-0x0000000008C52000-memory.dmp

Filesize
2.9MB

Download
memory/1620-7-0x0000000006740000-0x000000000676C000-memory.dmp

Filesize
176KB

Download
memory/1620-60-0x000000000B490000-0x000000000B4B0000-memory.dmp

Filesize
128KB

Download
memory/1620-5-0x0000000005690000-0x000000000573A000-memory.dmp

Filesize
680KB

Download
memory/1620-4-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-9-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-2-0x00000000007E0000-0x000000000083C000-memory.dmp

Filesize
368KB

Download
memory/1620-1-0x0000000000350000-0x0000000000498000-memory.dmp

Filesize
1.3MB

Download
memory/1620-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/1620-70-0x000000000DE50000-0x000000000DF02000-memory.dmp

Filesize
712KB

Download
memory/1620-71-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/1620-72-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-73-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-14-0x0000000009810000-0x000000000995B000-memory.dmp

Filesize
1.3MB

Download