Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 17:56
General
-
Target
91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
-
Size
181KB
-
MD5
a115d8a1ec2c5e1a95de6e5174234620
-
SHA1
488b8136823221cedf7749ebd27a296441d022f6
-
SHA256
91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94
-
SHA512
983457e5de16fb9d5bbb0e4629aac76b08057da5d3742b644f4e9ac4f96f56f83532a0155f39d14b0e4254b7b8c95e94b38ffe08f9fca958d511118bdae8923c
Score
10/10
Malware Config
Signatures
-
SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
-
SaintBot Payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe"C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lgfmyvtomp.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe"C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1048 -s 14844⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exeC:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe2⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13309.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13309.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lgfmyvtomp.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe"C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2140 -s 14606⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\13309.exeC:\Users\Admin\AppData\Local\Temp\13309.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dfrgui.exe"C:\Windows\system32\dfrgui.exe"5⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F6⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"4⤵
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 1048 -ip 10481⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 180 -p 2140 -ip 21401⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
-
Filesize
232KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
44KB
-
Filesize
44KB