saintbot | e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

General

Target

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
Size

30KB
MD5

ab2a92e0fc5a6f63336e442f34089f16
SHA1

24f71409bde9d01e3519236e66f3452236302e46
SHA256

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c
SHA512

50a7e2d4454bd3914cf55fe188f920e08b895c16b9eee498aea2cb71944caf3a3c1266d3b73046179412fd996dfaf48f03fdb39d5662310aa7859faa29d7970e

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/680-64-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot

Executes dropped EXE 1 IoCs

Processes:

42866.exe

pid process

516 42866.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

668 cmd.exe

pid	process
516	42866.exe

pid	process
668	cmd.exe

Drops startup file 2 IoCs

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe42866.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe	42866.exe

Loads dropped DLL 3 IoCs

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe42866.exedfrgui.exe

pid process

1104 e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
516 42866.exe
680 dfrgui.exe

pid	process
1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
516	42866.exe
680	dfrgui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dfrgui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\zzAdmin\\Admin.vbs"	dfrgui.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe42866.exedfrgui.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	42866.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	42866.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	dfrgui.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	dfrgui.exe

Drops file in System32 directory 1 IoCs

Processes:

dfrgui.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\dfrgui.exe dfrgui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	dfrgui.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dfrgui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dfrgui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dfrgui.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

556 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

42866.exe

pid process

516 42866.exe

pid	process
1964	schtasks.exe

pid	process
556	PING.EXE

pid	process
516	42866.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe42866.execmd.exedfrgui.exe

description	pid	process	target process
PID 1104 wrote to memory of 516	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	42866.exe
PID 1104 wrote to memory of 516	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	42866.exe
PID 1104 wrote to memory of 516	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	42866.exe
PID 1104 wrote to memory of 516	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	42866.exe
PID 1104 wrote to memory of 668	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 1104 wrote to memory of 668	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 1104 wrote to memory of 668	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 1104 wrote to memory of 668	1104	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 516 wrote to memory of 680	516	42866.exe	dfrgui.exe
PID 516 wrote to memory of 680	516	42866.exe	dfrgui.exe
PID 516 wrote to memory of 680	516	42866.exe	dfrgui.exe
PID 516 wrote to memory of 680	516	42866.exe	dfrgui.exe
PID 668 wrote to memory of 556	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 556	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 556	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 556	668	cmd.exe	PING.EXE
PID 516 wrote to memory of 680	516	42866.exe	dfrgui.exe
PID 668 wrote to memory of 1736	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1736	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1736	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1736	668	cmd.exe	cmd.exe
PID 680 wrote to memory of 1964	680	dfrgui.exe	schtasks.exe
PID 680 wrote to memory of 1964	680	dfrgui.exe	schtasks.exe
PID 680 wrote to memory of 1964	680	dfrgui.exe	schtasks.exe
PID 680 wrote to memory of 1964	680	dfrgui.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
"C:\Users\Admin\AppData\Local\Temp\e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\dfrgui.exe
    "C:\Windows\system32\dfrgui.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe

MD5
ab2a92e0fc5a6f63336e442f34089f16

SHA1
24f71409bde9d01e3519236e66f3452236302e46

SHA256
e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

SHA512
50a7e2d4454bd3914cf55fe188f920e08b895c16b9eee498aea2cb71944caf3a3c1266d3b73046179412fd996dfaf48f03fdb39d5662310aa7859faa29d7970e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe

MD5
ab2a92e0fc5a6f63336e442f34089f16

SHA1
24f71409bde9d01e3519236e66f3452236302e46

SHA256
e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

SHA512
50a7e2d4454bd3914cf55fe188f920e08b895c16b9eee498aea2cb71944caf3a3c1266d3b73046179412fd996dfaf48f03fdb39d5662310aa7859faa29d7970e

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

MD5
1693d297bdc94f2cb18c8a5d2ef2e095

SHA1
7a3b9d25c9947ce464f27d80c490e2c444f9d288

SHA256
4dd249adcdf2c6dd61f8ad96712f1f125e6c7875874b4790bef1c257a0cb1203

SHA512
0983020c73d8251d150c50ec0d03c96e07bb0d6701ae21bdd47a50b6ebdd115a7d8671100c18c1a33019f84598381e6a6895419aa9d6374924bf0583d816919a

Download Submit
\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42866.exe

MD5
ab2a92e0fc5a6f63336e442f34089f16

SHA1
24f71409bde9d01e3519236e66f3452236302e46

SHA256
e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

SHA512
50a7e2d4454bd3914cf55fe188f920e08b895c16b9eee498aea2cb71944caf3a3c1266d3b73046179412fd996dfaf48f03fdb39d5662310aa7859faa29d7970e

Download Submit
memory/680-64-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1104-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads