saintbot | 5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

General

Target

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
Size

501KB
MD5

a7913461e211158d5ac34ac3bd06bc7b
SHA1

71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b
SHA256

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13
SHA512

8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04
SSDEEP

6144:9moTTLsn36PcB1jtNSHoLR0XbZEpGidU7H6MFkc6iTISTas6oe2wgaMzHXDvVGLn:EoFPoJ3Su0lEpGiexs6asFPw2zvVe

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2660-13-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot
behavioral1/memory/2660-15-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot
behavioral1/memory/2660-17-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot
behavioral1/memory/2660-21-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot
behavioral1/memory/2660-23-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot
behavioral1/memory/2660-41-0x0000000000400000-0x000000000040C000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2532 cmd.exe

pid	process
2532	cmd.exe

Drops startup file 1 IoCs

Processes:

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook MUI (English) 2010.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe

Executes dropped EXE 2 IoCs

Processes:

Microsoft Office Outlook MUI (English) 2010.exeMicrosoft Office Outlook MUI (English) 2010.exe

pid process

2680 Microsoft Office Outlook MUI (English) 2010.exe
2352 Microsoft Office Outlook MUI (English) 2010.exe

pid	process
2680	Microsoft Office Outlook MUI (English) 2010.exe
2352	Microsoft Office Outlook MUI (English) 2010.exe

Loads dropped DLL 8 IoCs

Processes:

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exeWerFault.exe

pid	process
2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exeMicrosoft Office Outlook MUI (English) 2010.exe

description	pid	process	target process
PID 2112 set thread context of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2680 set thread context of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1960 2352 WerFault.exe Microsoft Office Outlook MUI (English) 2010.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2928 PING.EXE

pid	pid_target	process	target process
1960	2352	WerFault.exe	Microsoft Office Outlook MUI (English) 2010.exe

pid	process
2928	PING.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.execmd.exeMicrosoft Office Outlook MUI (English) 2010.exeMicrosoft Office Outlook MUI (English) 2010.exe

description	pid	process	target process
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2112 wrote to memory of 2660	2112	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
PID 2660 wrote to memory of 2680	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2660 wrote to memory of 2680	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2660 wrote to memory of 2680	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2660 wrote to memory of 2680	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2660 wrote to memory of 2532	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	cmd.exe
PID 2660 wrote to memory of 2532	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	cmd.exe
PID 2660 wrote to memory of 2532	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	cmd.exe
PID 2660 wrote to memory of 2532	2660	5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe	cmd.exe
PID 2532 wrote to memory of 2928	2532	cmd.exe	PING.EXE
PID 2532 wrote to memory of 2928	2532	cmd.exe	PING.EXE
PID 2532 wrote to memory of 2928	2532	cmd.exe	PING.EXE
PID 2532 wrote to memory of 2928	2532	cmd.exe	PING.EXE
PID 2532 wrote to memory of 2760	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2760	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2760	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2760	2532	cmd.exe	cmd.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2680 wrote to memory of 2352	2680	Microsoft Office Outlook MUI (English) 2010.exe	Microsoft Office Outlook MUI (English) 2010.exe
PID 2352 wrote to memory of 1960	2352	Microsoft Office Outlook MUI (English) 2010.exe	WerFault.exe
PID 2352 wrote to memory of 1960	2352	Microsoft Office Outlook MUI (English) 2010.exe	WerFault.exe
PID 2352 wrote to memory of 1960	2352	Microsoft Office Outlook MUI (English) 2010.exe	WerFault.exe
PID 2352 wrote to memory of 1960	2352	Microsoft Office Outlook MUI (English) 2010.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
"C:\Users\Admin\AppData\Local\Temp\5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13.exe
  "{path}"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook MUI (English) 2010.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook MUI (English) 2010.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook MUI (English) 2010.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 88
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\del.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
      4⤵
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
6628993c2dba6dd9ca73b7b74133932c

SHA1
a07fdeeab34d4d7cd9f4c090732c7379094c86a7

SHA256
d4aba441d68a6ee6a6def87ddfe87854b23979eae3bd45328fb920e3b75ec3ca

SHA512
eb5ef06dc5bf08befdcbbbf2034eaf41e02ba44f2ed692acec76b9e8caab7466c2438156846030c58bbbf0427bc052529fb2522fdd2e0a9e19f4e31503cc9d94

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook MUI (English) 2010.exe

Filesize
501KB

MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
memory/2112-6-0x0000000004CE0000-0x0000000004D48000-memory.dmp

Filesize
416KB

Download
memory/2112-1-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-0-0x0000000000DC0000-0x0000000000E44000-memory.dmp

Filesize
528KB

Download
memory/2112-5-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2112-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2112-3-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2112-4-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-24-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-41-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2680-64-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2680-45-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2680-47-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2680-48-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2680-44-0x0000000000F20000-0x0000000000FA4000-memory.dmp

Filesize
528KB

Download
memory/2680-43-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads