saintbot | ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96

General

Target

ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe
Size

29KB
MD5

88d9e88e61e538f89688f26ab43fc3a5
SHA1

7e77b925973755da363ad876c31d3552e91ed725
SHA256

ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96
SHA512

f37fb5b200dc54ea2e0ac57e6ac9c0a3681e9c1fe2e17c0edebc9b457dfabc4e23075f54a2c8d783afa4227356c26f92a10eda1b6a5583d9a60928efe2b57cc8
SSDEEP

768:Jv9SiOBEcXWrfRsA0hNnuHmrhCOWo12vTzXTbH32:8Xqk6HDOWrzPm

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe	family_saintbot
behavioral1/memory/2712-20-0x0000000000080000-0x000000000008C000-memory.dmp	family_saintbot
behavioral1/memory/2712-22-0x0000000000080000-0x000000000008C000-memory.dmp	family_saintbot
behavioral1/memory/2712-23-0x0000000000080000-0x000000000008C000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1320 cmd.exe

pid	process
1320	cmd.exe

Drops startup file 2 IoCs

Processes:

36989.exeac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe	36989.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe

Executes dropped EXE 1 IoCs

Processes:

36989.exe

pid process

2288 36989.exe
Loads dropped DLL 3 IoCs

Processes:

ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe36989.exeEhStorAuthn.exe

pid process

2020 ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe
2288 36989.exe
2712 EhStorAuthn.exe

pid	process
2288	36989.exe

pid	process
2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe
2288	36989.exe
2712	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EhStorAuthn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe36989.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	36989.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	36989.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2652 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EhStorAuthn.exe

description pid process

Token: SeDebugPrivilege 2712 EhStorAuthn.exe

pid	process
2652	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2712	EhStorAuthn.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.execmd.exe36989.exe

description	pid	process	target process
PID 2020 wrote to memory of 2288	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	36989.exe
PID 2020 wrote to memory of 2288	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	36989.exe
PID 2020 wrote to memory of 2288	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	36989.exe
PID 2020 wrote to memory of 2288	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	36989.exe
PID 2020 wrote to memory of 1320	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	cmd.exe
PID 2020 wrote to memory of 1320	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	cmd.exe
PID 2020 wrote to memory of 1320	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	cmd.exe
PID 2020 wrote to memory of 1320	2020	ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe	cmd.exe
PID 1320 wrote to memory of 2652	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 2652	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 2652	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 2652	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 2540	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 2540	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 2540	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 2540	1320	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2712	2288	36989.exe	EhStorAuthn.exe
PID 2288 wrote to memory of 2712	2288	36989.exe	EhStorAuthn.exe
PID 2288 wrote to memory of 2712	2288	36989.exe	EhStorAuthn.exe
PID 2288 wrote to memory of 2712	2288	36989.exe	EhStorAuthn.exe
PID 2288 wrote to memory of 2712	2288	36989.exe	EhStorAuthn.exe

C:\Users\Admin\AppData\Local\Temp\ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe
"C:\Users\Admin\AppData\Local\Temp\ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
462f62f0909bb4094987c1f4bed77bbb

SHA1
e9ca0d414522cfcffae0491fd8beb6b0cd7a0e5b

SHA256
0867276cd132942c93c5c6882ec81e645d2c336aedd7f6a987aaa826ec1bb01b

SHA512
4ed460675630ffef36428cbc8d698f7450f6f0cb9188335af98572405d0539970af450139cb49a3c6de86b5b8060f98cb19c9df632d4734d8974c51d6932d105

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36989.exe

Filesize
29KB

MD5
88d9e88e61e538f89688f26ab43fc3a5

SHA1
7e77b925973755da363ad876c31d3552e91ed725

SHA256
ac38403a3188bfe31850a3710cdd1311abe9f7bdaa0e23add7eda61960572f96

SHA512
f37fb5b200dc54ea2e0ac57e6ac9c0a3681e9c1fe2e17c0edebc9b457dfabc4e23075f54a2c8d783afa4227356c26f92a10eda1b6a5583d9a60928efe2b57cc8

Download Submit
memory/2712-20-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2712-22-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2712-23-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads