saintbot | 921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316

General

Target

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
Size

184KB
MD5

1c43b6c7834535beaaaba7d0c17074e2
SHA1

12c7b40ea9b29e5c0df5e8c97b7228fcccd317a5
SHA256

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316
SHA512

81d2c1940fce734a1d2e3686dfb8c56e8630db7134f4d747910c47ac925132762284554f984d4d8bcd354d64fab50073d640419b41612ca8ea1a88c79eb6cc31

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2952-139-0x0000000000400000-0x000000000040B000-memory.dmp	family_saintbot

Executes dropped EXE 2 IoCs

Processes:

Pjtwurqbviaetrashhold.exe5787.exe

pid process

4084 Pjtwurqbviaetrashhold.exe
1340 5787.exe

pid	process
4084	Pjtwurqbviaetrashhold.exe
1340	5787.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exeWScript.exe921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Drops startup file 1 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5787.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	pid	process	target process
PID 868 set thread context of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3000 PING.EXE

pid	process
3000	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

pid	process
868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description pid process

Token: SeDebugPrivilege 868 921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	pid	process
Token: SeDebugPrivilege	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exeWScript.exe921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 3984	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 868 wrote to memory of 3984	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 868 wrote to memory of 3984	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 3984 wrote to memory of 4084	3984	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 3984 wrote to memory of 4084	3984	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 868 wrote to memory of 2952	868	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 2952 wrote to memory of 1340	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	5787.exe
PID 2952 wrote to memory of 1340	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	5787.exe
PID 2952 wrote to memory of 1340	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	5787.exe
PID 2952 wrote to memory of 1656	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	cmd.exe
PID 2952 wrote to memory of 1656	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	cmd.exe
PID 2952 wrote to memory of 1656	2952	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	cmd.exe
PID 1656 wrote to memory of 3000	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 3000	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 3000	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 3320	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 3320	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 3320	1656	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
"C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eccxgvlylxal.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe
    "C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe"
    3⤵
    - Executes dropped EXE
    PID:4084
- C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
  C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5787.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5787.exe"
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
      4⤵
      PID:3320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eccxgvlylxal.vbs

MD5
f9813a5a9147bf802d215050d774bbc8

SHA1
651ff39e3399593e2b404ca2a86afe44e4aac4ce

SHA256
f459d914778338db0b43f3de45edbbc23c80b71f875b5dc440769d1a212049ef

SHA512
98ea6ef51953f00c9a7df6bb089cd58a75ac91d49d3880da8fdfdf5e9ca23daafd18e00923be047aa234587b6f64e8038cebe7926aabbd4c2880a8c1e0f04eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5787.exe

MD5
1c43b6c7834535beaaaba7d0c17074e2

SHA1
12c7b40ea9b29e5c0df5e8c97b7228fcccd317a5

SHA256
921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316

SHA512
81d2c1940fce734a1d2e3686dfb8c56e8630db7134f4d747910c47ac925132762284554f984d4d8bcd354d64fab50073d640419b41612ca8ea1a88c79eb6cc31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5787.exe

MD5
1c43b6c7834535beaaaba7d0c17074e2

SHA1
12c7b40ea9b29e5c0df5e8c97b7228fcccd317a5

SHA256
921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316

SHA512
81d2c1940fce734a1d2e3686dfb8c56e8630db7134f4d747910c47ac925132762284554f984d4d8bcd354d64fab50073d640419b41612ca8ea1a88c79eb6cc31

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

MD5
2a35d5a67b7b4879a779aa5a1aeedeaa

SHA1
118af98c4e6da3a9c993d0367135cf84e14a9291

SHA256
6b84062644596363e6cbf74a5ff0b6cdc85ffe2e0d6cf5463da51efebb26ab42

SHA512
d04af39a0c8085617f453746290cc8c65fa0fb6a7b51a94a7a1fe3d9b2e9ec8fed07e4efa791f50a5fdb507486234f5125e1613ccb28d2d6fca326ef58b50e60

Download Submit
memory/868-131-0x0000000000C80000-0x0000000000CB4000-memory.dmp

Filesize
208KB

Download
memory/868-132-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/868-130-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/1340-142-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1340-143-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2952-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2952-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4084-137-0x00007FFE67010000-0x00007FFE67AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-136-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads