saintbot | 7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4

General

Target

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Size

242KB
MD5

67b8f4bb9c81aca61abf8d49640a85b9
SHA1

fbf00a827bf1a44340a1e4bb1698285b27dab56c
SHA256

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4
SHA512

81cf99cc0561cff8efa04cb583e437d9c1d9d6f6ba50845fb404a6d120bb87302093a9b464662f1201341914421ea887f5d78d20a5c480491b82999d12608d98
SSDEEP

3072:YFwP8VUgQInIb1gL8ed0HbJoyZP0EUvKqdeJiIg5KMHDrDjQ0E2AjBwHX50CqEZk:YqPsQWIb+LLd0RD2KqUsPQ0EjV7lQbg

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 8 IoCs

resource	yara_rule
behavioral1/memory/2780-2-0x0000000000020000-0x0000000000029000-memory.dmp	family_saintbot
behavioral1/memory/2780-3-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2780-23-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/1200-26-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/1200-31-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral1/memory/2344-33-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot
behavioral1/memory/2344-35-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot
behavioral1/memory/2344-36-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44615.exe	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44615.exe	44615.exe

Executes dropped EXE 1 IoCs

pid	Process
1200	44615.exe

Loads dropped DLL 4 IoCs

pid	Process
2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
1200	44615.exe
2344	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	44615.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	44615.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1200	44615.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1200	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	28
PID 2780 wrote to memory of 1200	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	28
PID 2780 wrote to memory of 1200	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	28
PID 2780 wrote to memory of 1200	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	28
PID 2780 wrote to memory of 2536	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	29
PID 2780 wrote to memory of 2536	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	29
PID 2780 wrote to memory of 2536	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	29
PID 2780 wrote to memory of 2536	2780	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	29
PID 2536 wrote to memory of 2604	2536	cmd.exe	31
PID 2536 wrote to memory of 2604	2536	cmd.exe	31
PID 2536 wrote to memory of 2604	2536	cmd.exe	31
PID 2536 wrote to memory of 2604	2536	cmd.exe	31
PID 2536 wrote to memory of 2600	2536	cmd.exe	32
PID 2536 wrote to memory of 2600	2536	cmd.exe	32
PID 2536 wrote to memory of 2600	2536	cmd.exe	32
PID 2536 wrote to memory of 2600	2536	cmd.exe	32
PID 1200 wrote to memory of 2344	1200	44615.exe	33
PID 1200 wrote to memory of 2344	1200	44615.exe	33
PID 1200 wrote to memory of 2344	1200	44615.exe	33
PID 1200 wrote to memory of 2344	1200	44615.exe	33
PID 1200 wrote to memory of 2344	1200	44615.exe	33
PID 2344 wrote to memory of 2748	2344	EhStorAuthn.exe	34
PID 2344 wrote to memory of 2748	2344	EhStorAuthn.exe	34
PID 2344 wrote to memory of 2748	2344	EhStorAuthn.exe	34
PID 2344 wrote to memory of 2748	2344	EhStorAuthn.exe	34

C:\Users\Admin\AppData\Local\Temp\7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
"C:\Users\Admin\AppData\Local\Temp\7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44615.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44615.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44615.exe

Filesize
242KB

MD5
67b8f4bb9c81aca61abf8d49640a85b9

SHA1
fbf00a827bf1a44340a1e4bb1698285b27dab56c

SHA256
7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4

SHA512
81cf99cc0561cff8efa04cb583e437d9c1d9d6f6ba50845fb404a6d120bb87302093a9b464662f1201341914421ea887f5d78d20a5c480491b82999d12608d98

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
915a149f5827c50f1666efd45f5234b5

SHA1
3ed496d993a6c8afd9c7615217e12e273d8350b9

SHA256
9b2c620279eba7513185b7dd0c52b8ec5d95c082aff5e6654085b3474187ce9c

SHA512
863680a00cbafd831ca4c5509cb6ad54fd5156704b02d2319034b7ba74e974031a31b040a35a17cc156ec78ab21d0c2e62ec56b83de40ead0862054f074e79d0

Download Submit
memory/1200-31-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1200-25-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1200-26-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2344-33-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2344-35-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2344-36-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2780-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2780-23-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2780-2-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2780-1-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads