Overview

overview

10

Static

static

7d7d9a9df8...19.exe

windows7_x64

3

7d7d9a9df8...19.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-03-2022 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe

  • Size

    28KB

  • MD5

    eb8385915f68d5fbbf7c0c05e480a999

  • SHA1

    a72734fcddbad58308d91274ad444a5b1d970c21

  • SHA256

    7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019

  • SHA512

    f75fbebb4583e356e5071b187fd956067f029c46ad2c2b8e300d6d5bfacdce0690abf19b29743f8c6d09dd7e389e5d11067c5292b074d5017f7a444f1770d736

Score
10/10
saintbotdiscoverydropperevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Nirsoft 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe
    "C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        3⤵
          PID:224
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:384
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Alxxhtcbfihhsgrufrohf.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Local\support.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops startup file
        • Maps connected drives based on registry
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe"
          3⤵
          • Executes dropped EXE
          PID:632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost -n 3
            4⤵
            • Runs ping.exe
            PID:4752
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
            4⤵
              PID:3420
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4688

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        4280e36a29fa31c01e4d8b2ba726a0d8

        SHA1

        c485c2c9ce0a99747b18d899b71dfa9a64dabe32

        SHA256

        e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

        SHA512

        494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        MD5

        998553dcbd8e90a480eb7425ec877031

        SHA1

        0492ee5602d2aa7e330fdb0db9fd19ca086bb992

        SHA256

        a27e776a2b82ab98384cb12ea6a2a7c570e168ec310b5708a412b174e139fff8

        SHA512

        175ff0c0e6713173f133528cd704765f9155df5447cc825ec16d76c6c7aef309b480e94d8084c18932de55d1d7042e17214fa07fa850fd6b105e319bc5a44128

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        8e23ff7a50894bde9baa665865164939

        SHA1

        255bbccd8fbd9b14118dc5f3154938dea5e09b67

        SHA256

        e180c29ac921341ea0f815691b54ad9be3a641a63e61e95484b29ee5a61689dd

        SHA512

        b818be57dbb8745d249d2e1df60f828291b2fd5ecbf9ecb81cefdf23c7967f2f29ba0a55e9c14976b0dce9bba38b21c485289a1d604790076878a6e402aa4183

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Alxxhtcbfihhsgrufrohf.vbs
        MD5

        cca8d8967121499be9bc6786f05395b1

        SHA1

        e3efa150f6f8ab39d644a25d3cf6a00a9ebb984f

        SHA256

        09caf8f5ac1c2b0df3b0536eff2c6dde65ae7864daabbd27a354f355958c8253

        SHA512

        5904d292c20d797dc257a739abc6d418f92dd195c2f320e3dcf6e9f9167b22d966a3bf836adc721ab751ed96276807c48afeb4886308f7dec5e744b690e2c903

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        MD5

        5d4073b2eb6d217c19f2b22f21bf8d57

        SHA1

        f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

        SHA256

        ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

        SHA512

        9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        MD5

        5d4073b2eb6d217c19f2b22f21bf8d57

        SHA1

        f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

        SHA256

        ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

        SHA512

        9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe
        MD5

        5d4073b2eb6d217c19f2b22f21bf8d57

        SHA1

        f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

        SHA256

        ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

        SHA512

        9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe
        MD5

        5d4073b2eb6d217c19f2b22f21bf8d57

        SHA1

        f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

        SHA256

        ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

        SHA512

        9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

        Download Submit

      • C:\Users\Admin\AppData\Roaming\del.bat
        MD5

        2764a9a7cd90bc9bdbc8e6626b8748f0

        SHA1

        41e7eb5fc041bfa39fbcf4e5b1c3ae64a2e897a8

        SHA256

        535281da7aaf13c97f697691324bab4204b55e2f1e28c5e4aca23c589f6f2171

        SHA512

        0f04ede209554d0001189bfc6f9c06bf6b6acae984ffd371362ceeef0db91e926e5343f9db80f5addca3ab0683a7e6919f1ba91ec87e9d9101eb064c8dfe9306

        Download Submit

      • memory/384-149-0x000001EC73A50000-0x000001EC73A72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/384-152-0x000001EC739D0000-0x000001EC739D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/384-151-0x00007FFC829F3000-0x00007FFC829F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/632-161-0x00000000003C0000-0x00000000003CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1852-135-0x00000000051E0000-0x00000000051E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1852-146-0x0000000000EB0000-0x0000000000F42000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1852-145-0x00000000062C0000-0x0000000006864000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1852-130-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1852-131-0x0000000000710000-0x0000000000718000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2652-141-0x00000000066B0000-0x00000000066CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2652-133-0x0000000005860000-0x0000000005E88000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2652-143-0x0000000007F00000-0x000000000857A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2652-132-0x00000000050E0000-0x0000000005116000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2652-142-0x0000000005225000-0x0000000005227000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2652-136-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-138-0x0000000005220000-0x0000000005221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-140-0x0000000005222000-0x0000000005223000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-144-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2652-139-0x0000000006070000-0x00000000060D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2652-137-0x0000000006000000-0x0000000006066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2652-134-0x0000000005700000-0x0000000005722000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3620-163-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-172-0x0000000007960000-0x000000000796A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3620-164-0x0000000004F50000-0x0000000004F51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-165-0x0000000004F52000-0x0000000004F53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-176-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3620-167-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3620-168-0x00000000713F0000-0x000000007143C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3620-169-0x0000000006B60000-0x0000000006B7E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3620-171-0x0000000004F55000-0x0000000004F57000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3620-170-0x000000007F9A0000-0x000000007F9A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-175-0x0000000007B00000-0x0000000007B1A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3620-173-0x0000000007BA0000-0x0000000007C36000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3620-174-0x0000000006430000-0x000000000643E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3644-158-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3644-153-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download