saintbot | 50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58

Analysis

max time kernel
155s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
10-03-2022 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
Size

876KB
MD5

c56f66280de5fe29f75e72525ac54fe1
SHA1

79928f9c7ed0cea9850bf98db365ee59371399e3
SHA256

50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58
SHA512

f65bdfd1e58440ed6febb95b07d5a8e9afafe28a322ae78fa79228be5a9ae48e6064c8d304d8008eb4d3b8d468a5c9f1162dd1e0eb47d43daa018dee864b995e

Score

10^/10

saintbot discovery dropper evasion

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2948-154-0x0000000000400000-0x000000000040B000-memory.dmp	family_saintbot

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x001a00000001dacc-134.dat	Nirsoft
behavioral2/files/0x001a00000001dacc-135.dat	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2072	AdvancedRun.exe
1896	AdvancedRun.exe
2560	Wrvqtyoyuopenbullet.exe
3236	27742.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27742.exe	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1272	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2072	AdvancedRun.exe
2072	AdvancedRun.exe
2072	AdvancedRun.exe
2072	AdvancedRun.exe
1896	AdvancedRun.exe
1896	AdvancedRun.exe
1896	AdvancedRun.exe
1896	AdvancedRun.exe
2460	powershell.exe
2460	powershell.exe
2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
Token: SeDebugPrivilege	2072	AdvancedRun.exe
Token: SeImpersonatePrivilege	2072	AdvancedRun.exe
Token: SeDebugPrivilege	1896	AdvancedRun.exe
Token: SeImpersonatePrivilege	1896	AdvancedRun.exe
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2072	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	63
PID 2248 wrote to memory of 2072	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	63
PID 2248 wrote to memory of 2072	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	63
PID 2248 wrote to memory of 1896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	67
PID 2248 wrote to memory of 1896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	67
PID 2248 wrote to memory of 1896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	67
PID 2248 wrote to memory of 2896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	70
PID 2248 wrote to memory of 2896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	70
PID 2248 wrote to memory of 2896	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	70
PID 2896 wrote to memory of 2560	2896	WScript.exe	71
PID 2896 wrote to memory of 2560	2896	WScript.exe	71
PID 2896 wrote to memory of 2560	2896	WScript.exe	71
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2248 wrote to memory of 2948	2248	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	72
PID 2948 wrote to memory of 3236	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	73
PID 2948 wrote to memory of 3236	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	73
PID 2948 wrote to memory of 3236	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	73
PID 2948 wrote to memory of 272	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	74
PID 2948 wrote to memory of 272	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	74
PID 2948 wrote to memory of 272	2948	50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe	74
PID 272 wrote to memory of 1272	272	cmd.exe	76
PID 272 wrote to memory of 1272	272	cmd.exe	76
PID 272 wrote to memory of 1272	272	cmd.exe	76
PID 272 wrote to memory of 2952	272	cmd.exe	77
PID 272 wrote to memory of 2952	272	cmd.exe	77
PID 272 wrote to memory of 2952	272	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
"C:\Users\Admin\AppData\Local\Temp\50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop WinDefend
    3⤵
    PID:3448
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe
    "C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe"
    3⤵
    - Executes dropped EXE
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
  C:\Users\Admin\AppData\Local\Temp\50d95caf72714020836b397fbbbb75e01a5732114bcd51aeae9e36d12b93ed58.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27742.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27742.exe"
    3⤵
    - Executes dropped EXE
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
      4⤵
      PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-132-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2248-130-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2248-131-0x0000000000540000-0x0000000000620000-memory.dmp

Filesize
896KB

Download
memory/2248-133-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/2460-146-0x00000265CF076000-0x00000265CF078000-memory.dmp

Filesize
8KB

Download
memory/2460-140-0x00000265CF720000-0x00000265CF742000-memory.dmp

Filesize
136KB

Download
memory/2460-145-0x00000265CF073000-0x00000265CF075000-memory.dmp

Filesize
8KB

Download
memory/2460-143-0x00007FFAB0410000-0x00007FFAB0ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-144-0x00000265CF070000-0x00000265CF072000-memory.dmp

Filesize
8KB

Download
memory/2560-151-0x00000000005A0000-0x00000000006C8000-memory.dmp

Filesize
1.2MB

Download
memory/2560-152-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2560-160-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2948-153-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2948-154-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3236-159-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3236-158-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download