saintbot | 75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d

General

Target

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
Size

600KB
MD5

363e2b62f93c58c177e58dbe0a247fa0
SHA1

e8abab85ccbaf646305aa5a786c0894d59bdcfd1
SHA256

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d
SHA512

167734875f50d7e5cfa2ea8515b492d6ad18c5bc9ba881bbde520f0d0b79300af61c5bb42860fb613348933415d0518933d41e50ae837a8d5796d50b533932a3
SSDEEP

12288:hG5zC9ttHHIE8GlfXsIY8yMCa5XfP1D4+AAg6O:YcBDlPS8yM3XSmgZ

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2584-28-0x0000000000400000-0x000000000040B000-memory.dmp	family_saintbot

Drops startup file 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Proofing (English) 2010.exe	AddInProcess32.exe

Executes dropped EXE 2 IoCs

Processes:

AddInProcess32.exeMicrosoft Office Proofing (English) 2010.exe

pid process

2584 AddInProcess32.exe
2484 Microsoft Office Proofing (English) 2010.exe
Loads dropped DLL 2 IoCs

Processes:

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exeAddInProcess32.exe

pid process

2064 75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
2584 AddInProcess32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2584	AddInProcess32.exe
2484	Microsoft Office Proofing (English) 2010.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

description	pid	process	target process
PID 2064 set thread context of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2888 PING.EXE

pid	process
2888	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

pid	process
2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

description pid process

Token: SeDebugPrivilege 2064 75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

description	pid	process
Token: SeDebugPrivilege	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2064 wrote to memory of 2584	2064	75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe	AddInProcess32.exe
PID 2584 wrote to memory of 2484	2584	AddInProcess32.exe	Microsoft Office Proofing (English) 2010.exe
PID 2584 wrote to memory of 2484	2584	AddInProcess32.exe	Microsoft Office Proofing (English) 2010.exe
PID 2584 wrote to memory of 2484	2584	AddInProcess32.exe	Microsoft Office Proofing (English) 2010.exe
PID 2584 wrote to memory of 2484	2584	AddInProcess32.exe	Microsoft Office Proofing (English) 2010.exe
PID 2584 wrote to memory of 2500	2584	AddInProcess32.exe	cmd.exe
PID 2584 wrote to memory of 2500	2584	AddInProcess32.exe	cmd.exe
PID 2584 wrote to memory of 2500	2584	AddInProcess32.exe	cmd.exe
PID 2584 wrote to memory of 2500	2584	AddInProcess32.exe	cmd.exe
PID 2500 wrote to memory of 2888	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2888	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2888	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2888	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2764	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2764	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2764	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2764	2500	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe
"C:\Users\Admin\AppData\Local\Temp\75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
  "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Proofing (English) 2010.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Proofing (English) 2010.exe"
    3⤵
    - Executes dropped EXE
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\del.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
      4⤵
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\del.bat

Filesize
119B

MD5
090c838b290ce94aec6f5025eb49d216

SHA1
cceb7486d7e6a96ae98e6d9794d3d52857080189

SHA256
8db0f0d6b648808cf96ebd007cf6f48a96c14d5357352a09a4aaf19854e8dc64

SHA512
497f99d07e88f75c1657254479607c2338727f95d7b4e531ad5735c2b160bd4a10854b82bc175d1b00e1ee150de8835538493902603348f66dc465953ace73b2

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/2064-3-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/2064-29-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-4-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2064-6-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-7-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2064-8-0x0000000000530000-0x000000000054A000-memory.dmp

Filesize
104KB

Download
memory/2064-9-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/2064-2-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2064-0-0x0000000000F20000-0x0000000000FB6000-memory.dmp

Filesize
600KB

Download
memory/2064-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-45-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-43-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/2584-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-28-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads