Overview

overview

10

Static

static

fa1bc7d6f0...6e.exe

windows7_x64

10

fa1bc7d6f0...6e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294181s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    28-02-2022 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

  • Size

    365KB

  • MD5

    2371d432700a7e1f9c070a6e97fdb634

  • SHA1

    00d6c66ab2fd1810628d13980cc73275884933b1

  • SHA256

    fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e

  • SHA512

    423e76393e65defab5cdaef0c2a3249cadfbd3413d6763db8428e3a6a13e2a880c6a93cba35cf783ccc126b26bcd3e6ad6bf3059be94ca0d3798b75b51c4e7e5

Score
10/10
saintbotdiscoverydropperpersistence

Malware Config

Signatures

  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
    "C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
      "C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Maps connected drives based on registry
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Loads dropped DLL
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\SysWOW64\dfrgui.exe
            "C:\Windows\system32\dfrgui.exe"
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Drops file in System32 directory
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
              6⤵
              • Creates scheduled task(s)
              PID:1480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Roaming\del.bat
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:956
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
          4⤵
            PID:1380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/900-101-0x0000000000080000-0x000000000008B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-62-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-61-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-66-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-65-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-69-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-73-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-77-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1108-64-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1108-63-0x0000000000090000-0x000000000009B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1636-59-0x0000000000740000-0x000000000075A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1636-54-0x0000000000B20000-0x0000000000B80000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1636-60-0x00000000007D0000-0x00000000007D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1636-67-0x0000000004D61000-0x0000000004D62000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-58-0x0000000004D60000-0x0000000004D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-57-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-56-0x0000000000360000-0x0000000000376000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1636-55-0x00000000004A0000-0x00000000004D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1764-98-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1988-82-0x0000000001380000-0x00000000013E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1988-83-0x00000000749FE000-0x00000000749FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1988-84-0x0000000004D90000-0x0000000004D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1988-92-0x0000000004D91000-0x0000000004D92000-memory.dmp

      Filesize

      4KB

      Download