saintbot | 4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2

General

Target

4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
Size

243KB
MD5

fe6663b00d94a8106c07b4a951522266
SHA1

24492ca47b178e1990c4e5bd684547bb62bfad7a
SHA256

4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2
SHA512

9f5dcb078ea1dd32b4208f077571bd867fdf1beb81405df094e676751b47bdf3f619e16178afd21f2d030ba862ddf272074c931674834bea532273bbfef58388
SSDEEP

6144:EoTtCga1oYMLQioa3Q7JC2U38hO0YTPJx:Eo0ga1w3oa3yf9k1Jx

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-3-0x0000000000020000-0x0000000000029000-memory.dmp	family_saintbot
behavioral1/memory/2180-2-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2180-23-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2396-27-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2396-26-0x00000000002B0000-0x00000000003B0000-memory.dmp	family_saintbot
behavioral1/memory/2396-31-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2988-33-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot
behavioral1/memory/2988-35-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot
behavioral1/memory/2988-36-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe

pid	process
1728	cmd.exe

Drops startup file 2 IoCs

Processes:

4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe47819.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47819.exe	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47819.exe	47819.exe

Executes dropped EXE 1 IoCs

Processes:

47819.exe

pid process

2396 47819.exe

pid	process
2396	47819.exe

Loads dropped DLL 4 IoCs

Processes:

4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe47819.exeEhStorAuthn.exe

pid	process
2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
2396	47819.exe
2988	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EhStorAuthn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

47819.exeEhStorAuthn.exe4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	47819.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	47819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2568 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2800 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

47819.exe

pid process

2396 47819.exe

pid	process
2568	schtasks.exe

pid	process
2800	PING.EXE

pid	process
2396	47819.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.execmd.exe47819.exeEhStorAuthn.exe

description	pid	process	target process
PID 2180 wrote to memory of 2396	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	47819.exe
PID 2180 wrote to memory of 2396	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	47819.exe
PID 2180 wrote to memory of 2396	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	47819.exe
PID 2180 wrote to memory of 2396	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	47819.exe
PID 2180 wrote to memory of 1728	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	cmd.exe
PID 2180 wrote to memory of 1728	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	cmd.exe
PID 2180 wrote to memory of 1728	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	cmd.exe
PID 2180 wrote to memory of 1728	2180	4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe	cmd.exe
PID 1728 wrote to memory of 2800	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2800	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2800	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2800	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 1872	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 1872	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 1872	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 1872	1728	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2988	2396	47819.exe	EhStorAuthn.exe
PID 2396 wrote to memory of 2988	2396	47819.exe	EhStorAuthn.exe
PID 2396 wrote to memory of 2988	2396	47819.exe	EhStorAuthn.exe
PID 2396 wrote to memory of 2988	2396	47819.exe	EhStorAuthn.exe
PID 2396 wrote to memory of 2988	2396	47819.exe	EhStorAuthn.exe
PID 2988 wrote to memory of 2568	2988	EhStorAuthn.exe	schtasks.exe
PID 2988 wrote to memory of 2568	2988	EhStorAuthn.exe	schtasks.exe
PID 2988 wrote to memory of 2568	2988	EhStorAuthn.exe	schtasks.exe
PID 2988 wrote to memory of 2568	2988	EhStorAuthn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe
"C:\Users\Admin\AppData\Local\Temp\4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47819.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47819.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47819.exe

Filesize
243KB

MD5
fe6663b00d94a8106c07b4a951522266

SHA1
24492ca47b178e1990c4e5bd684547bb62bfad7a

SHA256
4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2

SHA512
9f5dcb078ea1dd32b4208f077571bd867fdf1beb81405df094e676751b47bdf3f619e16178afd21f2d030ba862ddf272074c931674834bea532273bbfef58388

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
32248b69d36e554d503eaf519da833bb

SHA1
855a2bc8e3e4fa7d09bc91a8d9673e5db2da250b

SHA256
b084852157912c350ea4ed104da51b09b74bfb46d85d8bac20ef4a0fa54ca5cd

SHA512
662168203f2e1a6a714341b57c4acc7fa2bb1e61fb7c3584d0780d8ac1b015b9f46acf12c8f47debbbe36e9901b1d9db5a326df91239c00c198bb56c9f9df59e

Download Submit
memory/2180-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2180-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-23-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2180-3-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2396-27-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2396-26-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2396-31-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2988-33-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2988-35-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2988-36-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads