Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 10:35
General
-
Target
7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe
-
Size
28KB
-
MD5
eb8385915f68d5fbbf7c0c05e480a999
-
SHA1
a72734fcddbad58308d91274ad444a5b1d970c21
-
SHA256
7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019
-
SHA512
f75fbebb4583e356e5071b187fd956067f029c46ad2c2b8e300d6d5bfacdce0690abf19b29743f8c6d09dd7e389e5d11067c5292b074d5017f7a444f1770d736
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
-
SaintBot Payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Nirsoft 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe"C:\Users\Admin\AppData\Local\Temp\7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop WinDefend3⤵
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Alxxhtcbfihhsgrufrohf.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Local\support.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
4280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
998553dcbd8e90a480eb7425ec877031
SHA10492ee5602d2aa7e330fdb0db9fd19ca086bb992
SHA256a27e776a2b82ab98384cb12ea6a2a7c570e168ec310b5708a412b174e139fff8
SHA512175ff0c0e6713173f133528cd704765f9155df5447cc825ec16d76c6c7aef309b480e94d8084c18932de55d1d7042e17214fa07fa850fd6b105e319bc5a44128
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8e23ff7a50894bde9baa665865164939
SHA1255bbccd8fbd9b14118dc5f3154938dea5e09b67
SHA256e180c29ac921341ea0f815691b54ad9be3a641a63e61e95484b29ee5a61689dd
SHA512b818be57dbb8745d249d2e1df60f828291b2fd5ecbf9ecb81cefdf23c7967f2f29ba0a55e9c14976b0dce9bba38b21c485289a1d604790076878a6e402aa4183
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\Alxxhtcbfihhsgrufrohf.vbsMD5
cca8d8967121499be9bc6786f05395b1
SHA1e3efa150f6f8ab39d644a25d3cf6a00a9ebb984f
SHA25609caf8f5ac1c2b0df3b0536eff2c6dde65ae7864daabbd27a354f355958c8253
SHA5125904d292c20d797dc257a739abc6d418f92dd195c2f320e3dcf6e9f9167b22d966a3bf836adc721ab751ed96276807c48afeb4886308f7dec5e744b690e2c903
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
5d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
5d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exeMD5
5d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35317.exeMD5
5d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Roaming\del.batMD5
2764a9a7cd90bc9bdbc8e6626b8748f0
SHA141e7eb5fc041bfa39fbcf4e5b1c3ae64a2e897a8
SHA256535281da7aaf13c97f697691324bab4204b55e2f1e28c5e4aca23c589f6f2171
SHA5120f04ede209554d0001189bfc6f9c06bf6b6acae984ffd371362ceeef0db91e926e5343f9db80f5addca3ab0683a7e6919f1ba91ec87e9d9101eb064c8dfe9306
-
memory/384-149-0x000001EC73A50000-0x000001EC73A72000-memory.dmpFilesize
136KB
-
memory/384-152-0x000001EC739D0000-0x000001EC739D2000-memory.dmpFilesize
8KB
-
memory/384-151-0x00007FFC829F3000-0x00007FFC829F5000-memory.dmpFilesize
8KB
-
memory/632-161-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/1852-135-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/1852-146-0x0000000000EB0000-0x0000000000F42000-memory.dmpFilesize
584KB
-
memory/1852-145-0x00000000062C0000-0x0000000006864000-memory.dmpFilesize
5.6MB
-
memory/1852-130-0x000000007448E000-0x000000007448F000-memory.dmpFilesize
4KB
-
memory/1852-131-0x0000000000710000-0x0000000000718000-memory.dmpFilesize
32KB
-
memory/2652-141-0x00000000066B0000-0x00000000066CE000-memory.dmpFilesize
120KB
-
memory/2652-133-0x0000000005860000-0x0000000005E88000-memory.dmpFilesize
6.2MB
-
memory/2652-143-0x0000000007F00000-0x000000000857A000-memory.dmpFilesize
6.5MB
-
memory/2652-132-0x00000000050E0000-0x0000000005116000-memory.dmpFilesize
216KB
-
memory/2652-142-0x0000000005225000-0x0000000005227000-memory.dmpFilesize
8KB
-
memory/2652-136-0x000000007448E000-0x000000007448F000-memory.dmpFilesize
4KB
-
memory/2652-138-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/2652-140-0x0000000005222000-0x0000000005223000-memory.dmpFilesize
4KB
-
memory/2652-144-0x0000000006BB0000-0x0000000006BCA000-memory.dmpFilesize
104KB
-
memory/2652-139-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/2652-137-0x0000000006000000-0x0000000006066000-memory.dmpFilesize
408KB
-
memory/2652-134-0x0000000005700000-0x0000000005722000-memory.dmpFilesize
136KB
-
memory/3620-163-0x000000007448E000-0x000000007448F000-memory.dmpFilesize
4KB
-
memory/3620-172-0x0000000007960000-0x000000000796A000-memory.dmpFilesize
40KB
-
memory/3620-164-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/3620-165-0x0000000004F52000-0x0000000004F53000-memory.dmpFilesize
4KB
-
memory/3620-176-0x0000000007AE0000-0x0000000007AE8000-memory.dmpFilesize
32KB
-
memory/3620-167-0x0000000006BA0000-0x0000000006BD2000-memory.dmpFilesize
200KB
-
memory/3620-168-0x00000000713F0000-0x000000007143C000-memory.dmpFilesize
304KB
-
memory/3620-169-0x0000000006B60000-0x0000000006B7E000-memory.dmpFilesize
120KB
-
memory/3620-171-0x0000000004F55000-0x0000000004F57000-memory.dmpFilesize
8KB
-
memory/3620-170-0x000000007F9A0000-0x000000007F9A1000-memory.dmpFilesize
4KB
-
memory/3620-175-0x0000000007B00000-0x0000000007B1A000-memory.dmpFilesize
104KB
-
memory/3620-173-0x0000000007BA0000-0x0000000007C36000-memory.dmpFilesize
600KB
-
memory/3620-174-0x0000000006430000-0x000000000643E000-memory.dmpFilesize
56KB
-
memory/3644-158-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3644-153-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB