Overview

overview

10

Static

static

7d7d9a9df8...19.exe

windows7_x64

3

7d7d9a9df8...19.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-03-2022 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe

  • Size

    28KB

  • MD5

    eb8385915f68d5fbbf7c0c05e480a999

  • SHA1

    a72734fcddbad58308d91274ad444a5b1d970c21

  • SHA256

    7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019

  • SHA512

    f75fbebb4583e356e5071b187fd956067f029c46ad2c2b8e300d6d5bfacdce0690abf19b29743f8c6d09dd7e389e5d11067c5292b074d5017f7a444f1770d736

Score
10/10
saintbotdiscoverydropperevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Nirsoft 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe
    "C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        3⤵
          PID:224
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:384
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Alxxhtcbfihhsgrufrohf.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Local\support.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops startup file
        • Maps connected drives based on registry
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe"
          3⤵
          • Executes dropped EXE
          PID:632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost -n 3
            4⤵
            • Runs ping.exe
            PID:4752
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
            4⤵
              PID:3420
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4688

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/384-149-0x000001EC73A50000-0x000001EC73A72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/384-152-0x000001EC739D0000-0x000001EC739D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/384-151-0x00007FFC829F3000-0x00007FFC829F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/632-161-0x00000000003C0000-0x00000000003CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1852-135-0x00000000051E0000-0x00000000051E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1852-146-0x0000000000EB0000-0x0000000000F42000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1852-145-0x00000000062C0000-0x0000000006864000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1852-130-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1852-131-0x0000000000710000-0x0000000000718000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2652-141-0x00000000066B0000-0x00000000066CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2652-133-0x0000000005860000-0x0000000005E88000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2652-143-0x0000000007F00000-0x000000000857A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2652-132-0x00000000050E0000-0x0000000005116000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2652-142-0x0000000005225000-0x0000000005227000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2652-136-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-138-0x0000000005220000-0x0000000005221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-140-0x0000000005222000-0x0000000005223000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-144-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2652-139-0x0000000006070000-0x00000000060D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2652-137-0x0000000006000000-0x0000000006066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2652-134-0x0000000005700000-0x0000000005722000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3620-163-0x000000007448E000-0x000000007448F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-172-0x0000000007960000-0x000000000796A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3620-164-0x0000000004F50000-0x0000000004F51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-165-0x0000000004F52000-0x0000000004F53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-176-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3620-167-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3620-168-0x00000000713F0000-0x000000007143C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3620-169-0x0000000006B60000-0x0000000006B7E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3620-171-0x0000000004F55000-0x0000000004F57000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3620-170-0x000000007F9A0000-0x000000007F9A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-175-0x0000000007B00000-0x0000000007B1A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3620-173-0x0000000007BA0000-0x0000000007C36000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3620-174-0x0000000006430000-0x000000000643E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3644-158-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3644-153-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download